feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6)

Security hardening: bind kubeconfig server to localhost, mount hardening
(noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module
loading lock after boot, SHA256 checksum verification for downloads,
kernel AppArmor + Audit support, complain-mode AppArmor profiles for
containerd and kubelet, and security integration test.

ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build
from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4-
partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting
GRUB vs RPi boot environments, architecture-aware build scripts, QEMU
aarch64 dev VM and boot test.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

build/rootfs/etc/apparmor.d/containerd

@@ -0,0 +1,52 @@
+# AppArmor profile for containerd
+# Start in complain mode to log without blocking
+
+#include <tunables/global>
+
+profile containerd /usr/bin/containerd flags=(complain) {
+  #include <abstractions/base>
+
+  # Binary and shared libraries
+  /usr/bin/containerd                   mr,
+  /usr/lib/**                           mr,
+  /lib/**                               mr,
+
+  # Containerd runtime state
+  /var/lib/containerd/**                rw,
+  /run/containerd/**                    rw,
+
+  # Container image layers and snapshots
+  /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/** rw,
+
+  # CNI networking
+  /etc/cni/**                           r,
+  /opt/cni/bin/**                       ix,
+
+  # Proc and sys access for containers
+  @{PROC}/**                            r,
+  /sys/**                               r,
+
+  # Device access for containers
+  /dev/**                               rw,
+
+  # Network access
+  network,
+
+  # Container runtime needs broad capabilities
+  capability,
+
+  # Allow executing container runtimes
+  /usr/bin/containerd-shim-runc-v2      ix,
+  /usr/bin/runc                         ix,
+  /usr/sbin/runc                        ix,
+
+  # Temp files
+  /tmp/**                               rw,
+
+  # Log files
+  /var/log/**                           rw,
+
+  # Signal handling for child processes
+  signal,
+  ptrace,
+}

build/rootfs/etc/apparmor.d/kubelet

@@ -0,0 +1,56 @@
+# AppArmor profile for kubesolo (kubelet + control plane)
+# Start in complain mode to log without blocking
+
+#include <tunables/global>
+
+profile kubesolo /usr/bin/kubesolo flags=(complain) {
+  #include <abstractions/base>
+
+  # Binary and shared libraries
+  /usr/bin/kubesolo                     mr,
+  /usr/lib/**                           mr,
+  /lib/**                               mr,
+
+  # KubeSolo state (etcd/SQLite, certificates, manifests)
+  /var/lib/kubesolo/**                  rw,
+
+  # KubeSolo configuration
+  /etc/kubesolo/**                      r,
+
+  # Containerd socket
+  /run/containerd/**                    rw,
+
+  # CNI networking
+  /etc/cni/**                           r,
+  /opt/cni/bin/**                       ix,
+
+  # Proc and sys access
+  @{PROC}/**                            r,
+  /sys/**                               r,
+
+  # Device access
+  /dev/**                               rw,
+
+  # Network access (API server, kubelet, etcd)
+  network,
+
+  # Control plane needs broad capabilities
+  capability,
+
+  # Kubectl and other tools
+  /usr/bin/kubectl                      ix,
+  /usr/local/bin/**                     ix,
+
+  # Temp files
+  /tmp/**                               rw,
+
+  # Log files
+  /var/log/**                           rw,
+
+  # Kubelet needs to manage pods
+  /var/lib/kubelet/**                   rw,
+
+  # Signal handling
+  signal,
+  ptrace,
+}

build/rootfs/etc/sysctl.d/security.conf

@@ -0,0 +1,27 @@
+# Security hardening — applied automatically by 40-sysctl.sh
+# Network: anti-spoofing
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+# Network: SYN flood protection
+net.ipv4.tcp_syncookies = 1
+# Network: ICMP hardening
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.conf.all.log_martians = 1
+# Network: IPv6 hardening
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+net.ipv6.conf.all.accept_ra = 0
+# Network: source routing
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+# Kernel: information disclosure
+kernel.kptr_restrict = 2
+kernel.dmesg_restrict = 1
+kernel.perf_event_paranoid = 3
+# Kernel: core dump safety
+fs.suid_dumpable = 0