feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6)

Security hardening: bind kubeconfig server to localhost, mount hardening
(noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module
loading lock after boot, SHA256 checksum verification for downloads,
kernel AppArmor + Audit support, complain-mode AppArmor profiles for
containerd and kubelet, and security integration test.

ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build
from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4-
partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting
GRUB vs RPi boot environments, architecture-aware build scripts, QEMU
aarch64 dev VM and boot test.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

hack/dev-vm-arm64.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+# dev-vm-arm64.sh — Launch ARM64 QEMU VM for development
+#
+# Uses qemu-system-aarch64 with -machine virt to emulate an ARM64 system.
+# This is useful for testing ARM64/RPi builds on x86_64 hosts.
+#
+# Usage:
+#   ./hack/dev-vm-arm64.sh                           # Use default kernel + initramfs
+#   ./hack/dev-vm-arm64.sh <kernel> <initramfs>      # Specify custom paths
+#   ./hack/dev-vm-arm64.sh --debug                   # Enable debug logging
+#   ./hack/dev-vm-arm64.sh --shell                   # Drop to emergency shell
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+VMLINUZ=""
+INITRD=""
+EXTRA_APPEND=""
+
+# Parse arguments
+for arg in "$@"; do
+    case "$arg" in
+        --shell)   EXTRA_APPEND="$EXTRA_APPEND kubesolo.shell" ;;
+        --debug)   EXTRA_APPEND="$EXTRA_APPEND kubesolo.debug" ;;
+        *)
+            if [ -z "$VMLINUZ" ]; then
+                VMLINUZ="$arg"
+            elif [ -z "$INITRD" ]; then
+                INITRD="$arg"
+            fi
+            ;;
+    esac
+done
+
+# Defaults
+VMLINUZ="${VMLINUZ:-$PROJECT_ROOT/build/cache/custom-kernel-arm64/Image}"
+INITRD="${INITRD:-$PROJECT_ROOT/build/rootfs-work/kubesolo-os.gz}"
+
+# Verify files exist
+if [ ! -f "$VMLINUZ" ]; then
+    echo "ERROR: Kernel not found: $VMLINUZ"
+    echo "  Run 'make kernel-arm64' to build the ARM64 kernel."
+    exit 1
+fi
+if [ ! -f "$INITRD" ]; then
+    echo "ERROR: Initrd not found: $INITRD"
+    echo "  Run 'make initramfs' to build the initramfs."
+    exit 1
+fi
+
+# Find mkfs.ext4
+MKFS_EXT4=""
+if command -v mkfs.ext4 >/dev/null 2>&1; then
+    MKFS_EXT4="mkfs.ext4"
+elif [ -x "/opt/homebrew/opt/e2fsprogs/sbin/mkfs.ext4" ]; then
+    MKFS_EXT4="/opt/homebrew/opt/e2fsprogs/sbin/mkfs.ext4"
+elif [ -x "/usr/local/opt/e2fsprogs/sbin/mkfs.ext4" ]; then
+    MKFS_EXT4="/usr/local/opt/e2fsprogs/sbin/mkfs.ext4"
+fi
+
+if [ -z "$MKFS_EXT4" ]; then
+    echo "ERROR: mkfs.ext4 not found. Install e2fsprogs:"
+    if [ "$(uname)" = "Darwin" ]; then
+        echo "  brew install e2fsprogs"
+    else
+        echo "  apt install e2fsprogs   # Debian/Ubuntu"
+        echo "  dnf install e2fsprogs   # Fedora/RHEL"
+    fi
+    exit 1
+fi
+
+# Create data disk
+DATA_DISK="$(mktemp /tmp/kubesolo-arm64-data-XXXXXX).img"
+dd if=/dev/zero of="$DATA_DISK" bs=1M count=1024 2>/dev/null
+"$MKFS_EXT4" -q -L KSOLODATA "$DATA_DISK" 2>/dev/null
+trap "rm -f '$DATA_DISK'" EXIT
+
+echo "==> Launching ARM64 QEMU VM..."
+echo "    Kernel: $VMLINUZ"
+echo "    Initrd: $INITRD"
+echo "    Data:   $DATA_DISK"
+echo ""
+echo "    K8s API: localhost:6443"
+echo "    SSH:     localhost:2222"
+echo "    Press Ctrl+A X to exit QEMU"
+echo ""
+
+qemu-system-aarch64 \
+    -machine virt \
+    -cpu cortex-a72 \
+    -m 2048 \
+    -smp 2 \
+    -nographic \
+    -kernel "$VMLINUZ" \
+    -initrd "$INITRD" \
+    -append "console=ttyAMA0 kubesolo.data=/dev/vda kubesolo.debug $EXTRA_APPEND" \
+    -drive "file=$DATA_DISK,format=raw,if=virtio" \
+    -net nic,model=virtio \
+    -net "user,hostfwd=tcp::6443-:6443,hostfwd=tcp::2222-:22"