feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6)

Security hardening: bind kubeconfig server to localhost, mount hardening
(noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module
loading lock after boot, SHA256 checksum verification for downloads,
kernel AppArmor + Audit support, complain-mode AppArmor profiles for
containerd and kubelet, and security integration test.

ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build
from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4-
partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting
GRUB vs RPi boot environments, architecture-aware build scripts, QEMU
aarch64 dev VM and boot test.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

build/config/versions.env

@@ -15,5 +15,28 @@ KUBESOLO_INSTALL_URL=https://get.kubesolo.io
 GRUB_VERSION=2.12
 SYSLINUX_VERSION=6.03
 
+# SHA256 checksums for supply chain verification
+# Populate by running: sha256sum build/cache/<file>
+# Leave empty to skip verification (useful for first fetch)
+TINYCORE_ISO_SHA256=""
+KUBESOLO_SHA256=""
+NETFILTER_TCZ_SHA256=""
+NET_BRIDGING_TCZ_SHA256=""
+IPTABLES_TCZ_SHA256=""
+
+# piCore64 (ARM64 — Raspberry Pi)
+PICORE_VERSION=15.0
+PICORE_ARCH=aarch64
+PICORE_IMAGE=piCore-${PICORE_VERSION}.img.gz
+PICORE_IMAGE_URL=http://www.tinycorelinux.net/${PICORE_VERSION%%.*}.x/${PICORE_ARCH}/releases/RPi/${PICORE_IMAGE}
+
+# Raspberry Pi firmware (boot blobs, DTBs)
+RPI_FIRMWARE_TAG=1.20240529
+RPI_FIRMWARE_URL=https://github.com/raspberrypi/firmware/archive/refs/tags/${RPI_FIRMWARE_TAG}.tar.gz
+
+# Raspberry Pi kernel source
+RPI_KERNEL_BRANCH=rpi-6.6.y
+RPI_KERNEL_REPO=https://github.com/raspberrypi/linux
+
 # Output naming
 OS_NAME=kubesolo-os