feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6)

Security hardening: bind kubeconfig server to localhost, mount hardening
(noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module
loading lock after boot, SHA256 checksum verification for downloads,
kernel AppArmor + Audit support, complain-mode AppArmor profiles for
containerd and kubelet, and security integration test.

ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build
from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4-
partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting
GRUB vs RPi boot environments, architecture-aware build scripts, QEMU
aarch64 dev VM and boot test.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

build/scripts/build-kernel.sh

@@ -96,6 +96,17 @@ echo "==> Enabling required kernel configs..."
 ./scripts/config --enable CONFIG_MEMCG
 ./scripts/config --enable CONFIG_CFS_BANDWIDTH
 
+# Security: AppArmor LSM + Audit subsystem
+echo "==> Enabling AppArmor + Audit kernel configs..."
+./scripts/config --enable CONFIG_AUDIT
+./scripts/config --enable CONFIG_AUDITSYSCALL
+./scripts/config --enable CONFIG_SECURITY
+./scripts/config --enable CONFIG_SECURITYFS
+./scripts/config --enable CONFIG_SECURITY_NETWORK
+./scripts/config --enable CONFIG_SECURITY_APPARMOR
+./scripts/config --set-str CONFIG_LSM "lockdown,yama,apparmor"
+./scripts/config --set-str CONFIG_DEFAULT_SECURITY "apparmor"
+
 # --- Strip unnecessary subsystems for smallest footprint ---
 # This is a headless K8s edge appliance — no sound, GPU, wireless, etc.
 echo "==> Disabling unnecessary subsystems for minimal footprint..."