feat: add security hardening, AppArmor, and ARM64 Raspberry Pi support (Phase 6)

Security hardening: bind kubeconfig server to localhost, mount hardening (noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module loading lock after boot, SHA256 checksum verification for downloads, kernel AppArmor + Audit support, complain-mode AppArmor profiles for containerd and kubelet, and security integration test. ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4- partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting GRUB vs RPi boot environments, architecture-aware build scripts, QEMU aarch64 dev VM and boot test. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 13:08:17 -06:00
parent 7abf0e0c04
commit efc7f80b65
38 changed files with 2512 additions and 96 deletions
--- a/51
+++ b/51
@@ -1,9 +1,10 @@
 .PHONY: all fetch kernel build-cloudinit build-update-agent build-cross rootfs initramfs \
-       iso disk-image oci-image \
+       iso disk-image oci-image rpi-image \
-       test-boot test-k8s test-persistence test-deploy test-storage test-all \
+       kernel-arm64 rootfs-arm64 \
-       test-cloudinit test-update-agent \
+       test-boot test-k8s test-persistence test-deploy test-storage test-security test-all \
       test-boot-arm64 test-cloudinit test-update-agent \
       bench-boot bench-resources \
-       dev-vm dev-vm-shell quick docker-build shellcheck \
+       dev-vm dev-vm-shell dev-vm-arm64 quick docker-build shellcheck \
       kernel-audit clean distclean help
 SHELL := /bin/bash
@@ -71,6 +72,24 @@ build-cross:
 	@echo "==> Cross-compiling for amd64 + arm64..."
 	$(BUILD_DIR)/scripts/build-cross.sh
 # =============================================================================
 # ARM64 Raspberry Pi targets
 # =============================================================================
 kernel-arm64:
 	@echo "==> Building ARM64 kernel for Raspberry Pi..."
 	$(BUILD_DIR)/scripts/build-kernel-arm64.sh
 rootfs-arm64:
 	@echo "==> Preparing ARM64 rootfs..."
 	TARGET_ARCH=arm64 $(BUILD_DIR)/scripts/fetch-components.sh
 	TARGET_ARCH=arm64 $(BUILD_DIR)/scripts/extract-core.sh
 	TARGET_ARCH=arm64 $(BUILD_DIR)/scripts/inject-kubesolo.sh
 rpi-image: rootfs-arm64 kernel-arm64
 	@echo "==> Creating Raspberry Pi SD card image..."
 	$(BUILD_DIR)/scripts/create-rpi-image.sh
 	@echo "==> Built: $(OUTPUT_DIR)/$(OS_NAME)-$(VERSION).rpi.img"
 # =============================================================================
 # Kernel validation
 # =============================================================================
@@ -101,6 +120,14 @@ test-storage: iso
 	@echo "==> Testing local storage provisioning..."
 	test/integration/test-local-storage.sh $(OUTPUT_DIR)/$(OS_NAME)-$(VERSION).iso
 test-security: iso
 	@echo "==> Testing security hardening..."
 	test/integration/test-security-hardening.sh $(OUTPUT_DIR)/$(OS_NAME)-$(VERSION).iso
 test-boot-arm64:
 	@echo "==> Testing ARM64 boot in QEMU..."
 	test/qemu/test-boot-arm64.sh
 test-all: test-boot test-k8s test-persistence
 # Cloud-init Go tests
@@ -163,6 +190,10 @@ dev-vm-debug: iso
 	@echo "==> Launching dev VM (debug mode)..."
 	hack/dev-vm.sh $(OUTPUT_DIR)/$(OS_NAME)-$(VERSION).iso --debug
 dev-vm-arm64:
 	@echo "==> Launching ARM64 dev VM..."
 	hack/dev-vm-arm64.sh
 # Fast rebuild: only repack initramfs + ISO (skip fetch/extract)
 quick:
 	@echo "==> Quick rebuild (repack + ISO only)..."
@@ -199,7 +230,7 @@ distclean: clean
 help:
 	@echo "KubeSolo OS Build System (v$(VERSION))"
 	@echo ""
-	@echo "Build targets:"
+	@echo "Build targets (x86_64):"
 	@echo "  make fetch              Download Tiny Core ISO, KubeSolo, dependencies"
 	@echo "  make kernel             Build custom kernel with CONFIG_CGROUP_BPF=y"
 	@echo "  make build-cloudinit    Build cloud-init Go binary"
@@ -213,25 +244,33 @@ help:
 	@echo "  make quick              Fast rebuild (re-inject + repack + ISO only)"
 	@echo "  make docker-build       Reproducible build inside Docker"
 	@echo ""
 	@echo "Build targets (ARM64 Raspberry Pi):"
 	@echo "  make kernel-arm64       Build ARM64 kernel from raspberrypi/linux"
 	@echo "  make rootfs-arm64       Extract + prepare ARM64 rootfs from piCore64"
 	@echo "  make rpi-image          Create Raspberry Pi SD card image with A/B partitions"
 	@echo ""
 	@echo "Test targets:"
 	@echo "  make test-boot          Boot ISO in QEMU, verify boot success"
 	@echo "  make test-k8s           Boot + verify K8s node reaches Ready"
 	@echo "  make test-persist       Reboot disk image, verify state persists"
 	@echo "  make test-deploy        Deploy nginx pod, verify Running"
 	@echo "  make test-storage       Test PVC with local-path provisioner"
 	@echo "  make test-security      Verify security hardening (AppArmor, sysctl, mounts)"
 	@echo "  make test-cloudinit     Run cloud-init Go unit tests"
 	@echo "  make test-update-agent  Run update agent Go unit tests"
 	@echo "  make test-update        A/B update cycle integration test"
 	@echo "  make test-rollback      Forced rollback integration test"
 	@echo "  make test-boot-arm64    ARM64 boot test in QEMU aarch64"
 	@echo "  make test-all           Run core tests (boot + k8s + persistence)"
 	@echo "  make test-integ         Run full integration suite"
 	@echo "  make bench-boot         Benchmark boot performance (3 runs)"
 	@echo "  make bench-resources    Benchmark resource usage (requires running VM)"
 	@echo ""
 	@echo "Dev targets:"
-	@echo "  make dev-vm         Launch interactive QEMU VM"
+	@echo "  make dev-vm         Launch interactive QEMU VM (x86_64)"
 	@echo "  make dev-vm-shell   Launch QEMU VM -> emergency shell"
 	@echo "  make dev-vm-debug   Launch QEMU VM with debug logging"
 	@echo "  make dev-vm-arm64   Launch ARM64 QEMU VM"
 	@echo "  make kernel-audit   Check kernel config against requirements"
 	@echo "  make shellcheck     Lint all shell scripts"
 	@echo ""
--- a/build/Dockerfile.builder
+++ b/build/Dockerfile.builder
@@ -31,6 +31,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    syslinux \
    syslinux-common \
    syslinux-utils \
    apparmor \
    apparmor-utils \
    gcc-aarch64-linux-gnu \
    binutils-aarch64-linux-gnu \
    git \
    wget \
    xorriso \
    xz-utils \
--- a/build/config/kernel-audit.sh
+++ b/build/config/kernel-audit.sh
@@ -128,7 +128,12 @@ echo "Security:"
 check_config CONFIG_SECCOMP              recommended "Seccomp (container security)"
 check_config CONFIG_SECCOMP_FILTER       recommended "Seccomp BPF filter"
 check_config CONFIG_BPF_SYSCALL          recommended "BPF syscall"
-check_config CONFIG_AUDIT                recommended "Audit framework"
+check_config CONFIG_AUDIT                mandatory "Audit framework"
 check_config CONFIG_AUDITSYSCALL         mandatory "Audit system call events"
 check_config CONFIG_SECURITY             mandatory "Security framework"
 check_config CONFIG_SECURITYFS           mandatory "Security filesystem"
 check_config CONFIG_SECURITY_APPARMOR    mandatory "AppArmor LSM"
 check_config CONFIG_SECURITY_NETWORK     recommended "Network security hooks"
 echo ""
 # --- Crypto ---
--- a/build/config/modules-arm64.list
+++ b/build/config/modules-arm64.list
@@ -0,0 +1,81 @@
 # Kernel modules loaded at boot by init (ARM64 / Raspberry Pi)
 # One module per line. Lines starting with # are ignored.
 # Modules are loaded in order listed — dependencies must come first.
 # Network device drivers (loaded early so interfaces are available)
 # Note: no e1000/e1000e on ARM64 — those are x86 Intel NIC drivers
 virtio_net
 # Virtio support (for QEMU VMs — block, entropy)
 virtio_blk
 virtio_rng
 # Raspberry Pi specific (USB Ethernet on Pi 4 is built-in, no module needed)
 # Pi 5 uses PCIe ethernet, also typically built-in
 # Filesystem — overlay (required for containerd)
 overlay
 # Netfilter dependencies (must load before conntrack)
 nf_defrag_ipv4
 nf_defrag_ipv6
 # Netfilter / connection tracking (required for kube-proxy)
 nf_conntrack
 nf_nat
 nf_conntrack_netlink
 # nftables (modern iptables backend)
 nf_tables
 nft_compat
 nft_chain_nat
 nft_ct
 nft_masq
 nft_nat
 nft_redir
 # Netfilter xt match/target modules (used by kube-proxy iptables rules via nft_compat)
 xt_conntrack
 xt_MASQUERADE
 xt_mark
 xt_comment
 xt_multiport
 xt_nat
 xt_addrtype
 xt_connmark
 xt_REDIRECT
 xt_recent
 xt_statistic
 xt_set
 # nft extras (reject, fib — used by kube-proxy nf_tables rules)
 nft_reject
 nft_reject_ipv4
 nft_reject_ipv6
 nft_fib
 nft_fib_ipv4
 nft_fib_ipv6
 # Reject targets (used by kube-proxy iptables-restore rules)
 nf_reject_ipv4
 nf_reject_ipv6
 ipt_REJECT
 ip6t_REJECT
 # nfacct extension (kube-proxy probes for it)
 xt_nfacct
 # Networking — bridge and netfilter (required for K8s pod networking)
 # Load order: llc → stp → bridge → br_netfilter
 llc
 stp
 bridge
 br_netfilter
 veth
 vxlan
 # IPVS — useful for kube-proxy IPVS mode and CNI plugins
 ip_vs
 ip_vs_rr
 ip_vs_wrr
 ip_vs_sh
--- a/build/config/rpi-kernel-config.fragment
+++ b/build/config/rpi-kernel-config.fragment
@@ -0,0 +1,69 @@
 # KubeSolo OS — Raspberry Pi kernel config overrides
 # Applied on top of bcm2711_defconfig (Pi 4) or bcm2712_defconfig (Pi 5)
 # These ensure container runtime support is enabled.
 # cgroup v2 (mandatory for containerd/runc)
 CONFIG_CGROUPS=y
 CONFIG_CGROUP_CPUACCT=y
 CONFIG_CGROUP_DEVICE=y
 CONFIG_CGROUP_FREEZER=y
 CONFIG_CGROUP_SCHED=y
 CONFIG_CGROUP_PIDS=y
 CONFIG_MEMCG=y
 CONFIG_CGROUP_BPF=y
 CONFIG_CFS_BANDWIDTH=y
 # BPF (required for cgroup v2 device control)
 CONFIG_BPF=y
 CONFIG_BPF_SYSCALL=y
 # Namespaces (mandatory for containers)
 CONFIG_NAMESPACES=y
 CONFIG_NET_NS=y
 CONFIG_PID_NS=y
 CONFIG_USER_NS=y
 CONFIG_UTS_NS=y
 CONFIG_IPC_NS=y
 # Device management
 CONFIG_DEVTMPFS=y
 CONFIG_DEVTMPFS_MOUNT=y
 # Filesystem
 CONFIG_OVERLAY_FS=y
 CONFIG_SQUASHFS=y
 CONFIG_EXT4_FS=y
 CONFIG_VFAT_FS=y
 # Networking
 CONFIG_BRIDGE=m
 CONFIG_NETFILTER=y
 CONFIG_NF_CONNTRACK=m
 CONFIG_NF_NAT=m
 CONFIG_NF_TABLES=m
 CONFIG_VETH=m
 CONFIG_VXLAN=m
 # Security: AppArmor + Audit
 CONFIG_AUDIT=y
 CONFIG_AUDITSYSCALL=y
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_APPARMOR=y
 CONFIG_DEFAULT_SECURITY_APPARMOR=y
 # Security: seccomp
 CONFIG_SECCOMP=y
 CONFIG_SECCOMP_FILTER=y
 # Crypto (image verification)
 CONFIG_CRYPTO_SHA256=y
 # Disable unnecessary subsystems for edge appliance
 # CONFIG_SOUND is not set
 # CONFIG_DRM is not set
 # CONFIG_MEDIA_SUPPORT is not set
 # CONFIG_WIRELESS is not set
 # CONFIG_BT is not set
 # CONFIG_NFC is not set
--- a/build/config/versions.env
+++ b/build/config/versions.env
@@ -15,5 +15,28 @@ KUBESOLO_INSTALL_URL=https://get.kubesolo.io
 GRUB_VERSION=2.12
 SYSLINUX_VERSION=6.03
 # SHA256 checksums for supply chain verification
 # Populate by running: sha256sum build/cache/<file>
 # Leave empty to skip verification (useful for first fetch)
 TINYCORE_ISO_SHA256=""
 KUBESOLO_SHA256=""
 NETFILTER_TCZ_SHA256=""
 NET_BRIDGING_TCZ_SHA256=""
 IPTABLES_TCZ_SHA256=""
 # piCore64 (ARM64 — Raspberry Pi)
 PICORE_VERSION=15.0
 PICORE_ARCH=aarch64
 PICORE_IMAGE=piCore-${PICORE_VERSION}.img.gz
 PICORE_IMAGE_URL=http://www.tinycorelinux.net/${PICORE_VERSION%%.*}.x/${PICORE_ARCH}/releases/RPi/${PICORE_IMAGE}
 # Raspberry Pi firmware (boot blobs, DTBs)
 RPI_FIRMWARE_TAG=1.20240529
 RPI_FIRMWARE_URL=https://github.com/raspberrypi/firmware/archive/refs/tags/${RPI_FIRMWARE_TAG}.tar.gz
 # Raspberry Pi kernel source
 RPI_KERNEL_BRANCH=rpi-6.6.y
 RPI_KERNEL_REPO=https://github.com/raspberrypi/linux
 # Output naming
 OS_NAME=kubesolo-os
--- a/build/rootfs/etc/apparmor.d/containerd
+++ b/build/rootfs/etc/apparmor.d/containerd
@@ -0,0 +1,52 @@
 # AppArmor profile for containerd
 # Start in complain mode to log without blocking
 #include <tunables/global>
 profile containerd /usr/bin/containerd flags=(complain) {
  #include <abstractions/base>
  # Binary and shared libraries
  /usr/bin/containerd                   mr,
  /usr/lib/**                           mr,
  /lib/**                               mr,
  # Containerd runtime state
  /var/lib/containerd/**                rw,
  /run/containerd/**                    rw,
  # Container image layers and snapshots
  /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/** rw,
  # CNI networking
  /etc/cni/**                           r,
  /opt/cni/bin/**                       ix,
  # Proc and sys access for containers
  @{PROC}/**                            r,
  /sys/**                               r,
  # Device access for containers
  /dev/**                               rw,
  # Network access
  network,
  # Container runtime needs broad capabilities
  capability,
  # Allow executing container runtimes
  /usr/bin/containerd-shim-runc-v2      ix,
  /usr/bin/runc                         ix,
  /usr/sbin/runc                        ix,
  # Temp files
  /tmp/**                               rw,
  # Log files
  /var/log/**                           rw,
  # Signal handling for child processes
  signal,
  ptrace,
 }
--- a/build/rootfs/etc/apparmor.d/kubelet
+++ b/build/rootfs/etc/apparmor.d/kubelet
@@ -0,0 +1,56 @@
 # AppArmor profile for kubesolo (kubelet + control plane)
 # Start in complain mode to log without blocking
 #include <tunables/global>
 profile kubesolo /usr/bin/kubesolo flags=(complain) {
  #include <abstractions/base>
  # Binary and shared libraries
  /usr/bin/kubesolo                     mr,
  /usr/lib/**                           mr,
  /lib/**                               mr,
  # KubeSolo state (etcd/SQLite, certificates, manifests)
  /var/lib/kubesolo/**                  rw,
  # KubeSolo configuration
  /etc/kubesolo/**                      r,
  # Containerd socket
  /run/containerd/**                    rw,
  # CNI networking
  /etc/cni/**                           r,
  /opt/cni/bin/**                       ix,
  # Proc and sys access
  @{PROC}/**                            r,
  /sys/**                               r,
  # Device access
  /dev/**                               rw,
  # Network access (API server, kubelet, etcd)
  network,
  # Control plane needs broad capabilities
  capability,
  # Kubectl and other tools
  /usr/bin/kubectl                      ix,
  /usr/local/bin/**                     ix,
  # Temp files
  /tmp/**                               rw,
  # Log files
  /var/log/**                           rw,
  # Kubelet needs to manage pods
  /var/lib/kubelet/**                   rw,
  # Signal handling
  signal,
  ptrace,
 }
--- a/build/rootfs/etc/sysctl.d/security.conf
+++ b/build/rootfs/etc/sysctl.d/security.conf
@@ -0,0 +1,27 @@
 # Security hardening — applied automatically by 40-sysctl.sh
 # Network: anti-spoofing
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
 # Network: SYN flood protection
 net.ipv4.tcp_syncookies = 1
 # Network: ICMP hardening
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 net.ipv4.conf.all.log_martians = 1
 # Network: IPv6 hardening
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0
 net.ipv6.conf.all.accept_ra = 0
 # Network: source routing
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.default.accept_source_route = 0
 # Kernel: information disclosure
 kernel.kptr_restrict = 2
 kernel.dmesg_restrict = 1
 kernel.perf_event_paranoid = 3
 # Kernel: core dump safety
 fs.suid_dumpable = 0
--- a/build/scripts/build-kernel-arm64.sh
+++ b/build/scripts/build-kernel-arm64.sh
@@ -0,0 +1,158 @@
 #!/bin/bash
 # build-kernel-arm64.sh — Build ARM64 kernel for Raspberry Pi 4/5
 #
 # Uses the official raspberrypi/linux kernel fork with bcm2711_defconfig
 # as the base, overlaid with container-critical config options.
 #
 # Output is cached in $CACHE_DIR/custom-kernel-arm64/ and reused across builds.
 #
 # Requirements:
 #   - gcc-aarch64-linux-gnu (cross-compiler)
 #   - Standard kernel build deps (bc, bison, flex, etc.)
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
 CACHE_DIR="${CACHE_DIR:-$PROJECT_ROOT/build/cache}"
 # shellcheck source=../config/versions.env
 . "$SCRIPT_DIR/../config/versions.env"
 CUSTOM_KERNEL_DIR="$CACHE_DIR/custom-kernel-arm64"
 CUSTOM_IMAGE="$CUSTOM_KERNEL_DIR/Image"
 CUSTOM_MODULES="$CUSTOM_KERNEL_DIR/modules"
 CUSTOM_DTBS="$CUSTOM_KERNEL_DIR/dtbs"
 mkdir -p "$CACHE_DIR" "$CUSTOM_KERNEL_DIR"
 # --- Skip if already built ---
 if [ -f "$CUSTOM_IMAGE" ] && [ -d "$CUSTOM_MODULES" ]; then
    echo "==> ARM64 kernel already built (cached)"
    echo "    Image: $CUSTOM_IMAGE ($(du -h "$CUSTOM_IMAGE" | cut -f1))"
    exit 0
 fi
 # --- Verify cross-compiler ---
 if ! command -v aarch64-linux-gnu-gcc >/dev/null 2>&1; then
    echo "ERROR: aarch64-linux-gnu-gcc not found"
    echo "Install: apt-get install gcc-aarch64-linux-gnu"
    exit 1
 fi
 echo "==> Building ARM64 kernel for Raspberry Pi..."
 echo "    Branch: $RPI_KERNEL_BRANCH"
 echo "    Repo:   $RPI_KERNEL_REPO"
 # --- Download kernel source ---
 KERNEL_SRC_DIR="$CACHE_DIR/rpi-linux-${RPI_KERNEL_BRANCH}"
 if [ ! -d "$KERNEL_SRC_DIR" ]; then
    echo "==> Downloading RPi kernel source (shallow clone)..."
    git clone --depth 1 --branch "$RPI_KERNEL_BRANCH" \
        "$RPI_KERNEL_REPO" "$KERNEL_SRC_DIR"
 else
    echo "==> Kernel source already cached"
 fi
 # --- Build in /tmp for case-sensitivity ---
 KERNEL_BUILD_DIR="/tmp/kernel-build-arm64"
 rm -rf "$KERNEL_BUILD_DIR"
 cp -a "$KERNEL_SRC_DIR" "$KERNEL_BUILD_DIR"
 cd "$KERNEL_BUILD_DIR"
 # --- Apply base config (Pi 4 = bcm2711) ---
 echo "==> Applying bcm2711_defconfig..."
 make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- bcm2711_defconfig
 # --- Apply container config overrides ---
 CONFIG_FRAGMENT="$PROJECT_ROOT/build/config/rpi-kernel-config.fragment"
 if [ -f "$CONFIG_FRAGMENT" ]; then
    echo "==> Applying KubeSolo config overrides..."
    while IFS= read -r line; do
        # Skip comments and empty lines
        case "$line" in \#*|"") continue ;; esac
        key="${line%%=*}"
        value="${line#*=}"
        case "$value" in
            y)   ./scripts/config --enable "$key" ;;
            m)   ./scripts/config --module "$key" ;;
            n)   ./scripts/config --disable "${key#CONFIG_}" ;;
            *)   ./scripts/config --set-str "$key" "$value" ;;
        esac
    done < "$CONFIG_FRAGMENT"
 fi
 # Handle "is not set" comments as disables
 if [ -f "$CONFIG_FRAGMENT" ]; then
    while IFS= read -r line; do
        case "$line" in
            "# CONFIG_"*" is not set")
                key=$(echo "$line" | sed -n 's/^# \(CONFIG_[A-Z_]*\) is not set$/\1/p')
                [ -n "$key" ] && ./scripts/config --disable "${key#CONFIG_}"
                ;;
        esac
    done < "$CONFIG_FRAGMENT"
 fi
 # Resolve dependencies
 make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- olddefconfig
 # --- Build kernel + modules + DTBs ---
 NPROC=$(nproc 2>/dev/null || echo 4)
 echo ""
 echo "==> Building ARM64 kernel (${NPROC} parallel jobs)..."
 echo "    This may take 20-30 minutes..."
 make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- -j"$NPROC" Image modules dtbs 2>&1
 echo "==> ARM64 kernel build complete"
 # --- Install to staging ---
 echo "==> Installing Image..."
 cp arch/arm64/boot/Image "$CUSTOM_IMAGE"
 echo "==> Installing modules (stripped)..."
 rm -rf "$CUSTOM_MODULES"
 mkdir -p "$CUSTOM_MODULES"
 make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- \
    INSTALL_MOD_STRIP=1 modules_install INSTALL_MOD_PATH="$CUSTOM_MODULES"
 # Remove build/source symlinks
 KVER=$(ls "$CUSTOM_MODULES/lib/modules/" | head -1)
 rm -f "$CUSTOM_MODULES/lib/modules/$KVER/build"
 rm -f "$CUSTOM_MODULES/lib/modules/$KVER/source"
 # Run depmod
 depmod -a -b "$CUSTOM_MODULES" "$KVER" 2>/dev/null || true
 echo "==> Installing Device Tree Blobs..."
 rm -rf "$CUSTOM_DTBS"
 mkdir -p "$CUSTOM_DTBS/overlays"
 # Pi 4 DTBs
 cp arch/arm64/boot/dts/broadcom/bcm2711*.dtb "$CUSTOM_DTBS/" 2>/dev/null || true
 # Pi 5 DTBs
 cp arch/arm64/boot/dts/broadcom/bcm2712*.dtb "$CUSTOM_DTBS/" 2>/dev/null || true
 # Overlays we need
 for overlay in disable-wifi disable-bt; do
    [ -f "arch/arm64/boot/dts/overlays/${overlay}.dtbo" ] && \
        cp "arch/arm64/boot/dts/overlays/${overlay}.dtbo" "$CUSTOM_DTBS/overlays/"
 done
 # Save config for reference
 cp .config "$CUSTOM_KERNEL_DIR/.config"
 # --- Clean up ---
 echo "==> Cleaning kernel build directory..."
 cd /
 rm -rf "$KERNEL_BUILD_DIR"
 # --- Summary ---
 echo ""
 echo "==> ARM64 kernel build complete:"
 echo "    Image:        $CUSTOM_IMAGE ($(du -h "$CUSTOM_IMAGE" | cut -f1))"
 echo "    Kernel ver:   $KVER"
 MOD_COUNT=$(find "$CUSTOM_MODULES/lib/modules/$KVER" -name '*.ko*' 2>/dev/null | wc -l)
 echo "    Modules:      $MOD_COUNT"
 echo "    Modules size: $(du -sh "$CUSTOM_MODULES/lib/modules/$KVER" 2>/dev/null | cut -f1)"
 echo "    DTBs:         $(ls "$CUSTOM_DTBS"/*.dtb 2>/dev/null | wc -l)"
 echo ""
--- a/build/scripts/build-kernel.sh
+++ b/build/scripts/build-kernel.sh
@@ -96,6 +96,17 @@ echo "==> Enabling required kernel configs..."
 ./scripts/config --enable CONFIG_MEMCG
 ./scripts/config --enable CONFIG_CFS_BANDWIDTH
 # Security: AppArmor LSM + Audit subsystem
 echo "==> Enabling AppArmor + Audit kernel configs..."
 ./scripts/config --enable CONFIG_AUDIT
 ./scripts/config --enable CONFIG_AUDITSYSCALL
 ./scripts/config --enable CONFIG_SECURITY
 ./scripts/config --enable CONFIG_SECURITYFS
 ./scripts/config --enable CONFIG_SECURITY_NETWORK
 ./scripts/config --enable CONFIG_SECURITY_APPARMOR
 ./scripts/config --set-str CONFIG_LSM "lockdown,yama,apparmor"
 ./scripts/config --set-str CONFIG_DEFAULT_SECURITY "apparmor"
 # --- Strip unnecessary subsystems for smallest footprint ---
 # This is a headless K8s edge appliance — no sound, GPU, wireless, etc.
 echo "==> Disabling unnecessary subsystems for minimal footprint..."
--- a/build/scripts/create-rpi-image.sh
+++ b/build/scripts/create-rpi-image.sh
@@ -0,0 +1,203 @@
 #!/bin/bash
 # create-rpi-image.sh — Create a raw disk image for Raspberry Pi SD card
 #
 # Partition layout (GPT):
 #   Part 1: Boot Control  (16 MB, FAT32, label KSOLOCTL) — autoboot.txt only
 #   Part 2: Boot A        (256 MB, FAT32, label KSOLOA)  — firmware + kernel + DTBs + initramfs
 #   Part 3: Boot B        (256 MB, FAT32, label KSOLOB)  — same as Boot A (initially identical)
 #   Part 4: Data          (remaining of 2GB, ext4, label KSOLODATA)
 #
 # The RPi uses autoboot.txt in the control partition to implement A/B boot
 # via the tryboot mechanism (tryboot_a_b=1). Normal boot → partition 2 (Boot A),
 # tryboot → partition 3 (Boot B).
 #
 # Usage: build/scripts/create-rpi-image.sh
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
 # shellcheck source=../config/versions.env
 . "$SCRIPT_DIR/../config/versions.env"
 ROOTFS_DIR="${ROOTFS_DIR:-$PROJECT_ROOT/build/rootfs-work}"
 OUTPUT_DIR="${OUTPUT_DIR:-$PROJECT_ROOT/output}"
 CACHE_DIR="${CACHE_DIR:-$PROJECT_ROOT/build/cache}"
 VERSION="$(cat "$PROJECT_ROOT/VERSION")"
 IMG_OUTPUT="$OUTPUT_DIR/${OS_NAME}-${VERSION}.rpi.img"
 IMG_SIZE_MB="${IMG_SIZE_MB:-2048}"  # 2 GB default
 # ARM64 kernel (Image format, not bzImage)
 KERNEL="${CACHE_DIR}/custom-kernel-arm64/Image"
 INITRAMFS="${ROOTFS_DIR}/kubesolo-os.gz"
 RPI_FIRMWARE_DIR="${CACHE_DIR}/rpi-firmware"
 echo "==> Creating ${IMG_SIZE_MB}MB Raspberry Pi disk image..."
 # --- Verify required files ---
 MISSING=0
 for f in "$KERNEL" "$INITRAMFS"; do
    if [ ! -f "$f" ]; then
        echo "ERROR: Missing $f"
        MISSING=1
    fi
 done
 if [ ! -d "$RPI_FIRMWARE_DIR" ]; then
    echo "ERROR: Missing RPi firmware directory: $RPI_FIRMWARE_DIR"
    echo "  Run 'make fetch' to download firmware blobs."
    MISSING=1
 fi
 if [ "$MISSING" = "1" ]; then
    echo ""
    echo "Required files:"
    echo "  Kernel:    $KERNEL (run 'make kernel-arm64')"
    echo "  Initramfs: $INITRAMFS (run 'make initramfs')"
    echo "  Firmware:  $RPI_FIRMWARE_DIR/ (run 'make fetch')"
    exit 1
 fi
 mkdir -p "$OUTPUT_DIR"
 # --- Create sparse image ---
 dd if=/dev/zero of="$IMG_OUTPUT" bs=1M count=0 seek="$IMG_SIZE_MB" 2>/dev/null
 # --- Partition table (GPT) ---
 # Part 1: Boot Control  16 MB FAT32
 # Part 2: Boot A       256 MB FAT32
 # Part 3: Boot B       256 MB FAT32
 # Part 4: Data         remaining ext4
 sfdisk "$IMG_OUTPUT" << EOF
 label: gpt
 # Boot Control partition: 16 MB
 start=2048, size=32768, type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="BootCtl"
 # Boot A partition: 256 MB
 size=524288, type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="BootA"
 # Boot B partition: 256 MB
 size=524288, type=EBD0A0A2-B9E5-4433-87C0-68B6B72699C7, name="BootB"
 # Data partition: remaining
 type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, name="Data"
 EOF
 # --- Set up loop device ---
 LOOP=$(losetup --show -fP "$IMG_OUTPUT")
 echo "==> Loop device: $LOOP"
 MNT_CTL=$(mktemp -d)
 MNT_BOOTA=$(mktemp -d)
 MNT_BOOTB=$(mktemp -d)
 MNT_DATA=$(mktemp -d)
 cleanup() {
    umount "$MNT_CTL" 2>/dev/null || true
    umount "$MNT_BOOTA" 2>/dev/null || true
    umount "$MNT_BOOTB" 2>/dev/null || true
    umount "$MNT_DATA" 2>/dev/null || true
    losetup -d "$LOOP" 2>/dev/null || true
    rm -rf "$MNT_CTL" "$MNT_BOOTA" "$MNT_BOOTB" "$MNT_DATA" 2>/dev/null || true
 }
 trap cleanup EXIT
 # --- Format partitions ---
 mkfs.vfat -F 32 -n KSOLOCTL "${LOOP}p1"
 mkfs.vfat -F 32 -n KSOLOA "${LOOP}p2"
 mkfs.vfat -F 32 -n KSOLOB "${LOOP}p3"
 mkfs.ext4 -q -L KSOLODATA "${LOOP}p4"
 # --- Mount all partitions ---
 mount "${LOOP}p1" "$MNT_CTL"
 mount "${LOOP}p2" "$MNT_BOOTA"
 mount "${LOOP}p3" "$MNT_BOOTB"
 mount "${LOOP}p4" "$MNT_DATA"
 # --- Boot Control Partition (KSOLOCTL) ---
 echo "    Writing autoboot.txt..."
 cat > "$MNT_CTL/autoboot.txt" << 'AUTOBOOT'
 [all]
 tryboot_a_b=1
 boot_partition=2
 [tryboot]
 boot_partition=3
 AUTOBOOT
 # --- Helper: populate a boot partition ---
 populate_boot_partition() {
    local MNT="$1"
    local LABEL="$2"
    echo "    Populating $LABEL..."
    # config.txt — Raspberry Pi boot configuration
    cat > "$MNT/config.txt" << 'CFGTXT'
 arm_64bit=1
 kernel=kernel8.img
 initramfs kubesolo-os.gz followkernel
 enable_uart=1
 gpu_mem=16
 dtoverlay=disable-wifi
 dtoverlay=disable-bt
 CFGTXT
    # cmdline.txt — kernel command line
    # Note: must be a single line
    echo "console=serial0,115200 console=tty1 kubesolo.data=LABEL=KSOLODATA quiet" > "$MNT/cmdline.txt"
    # Copy kernel as kernel8.img (RPi 3/4/5 ARM64 convention)
    cp "$KERNEL" "$MNT/kernel8.img"
    # Copy initramfs
    cp "$INITRAMFS" "$MNT/kubesolo-os.gz"
    # Copy firmware blobs (start*.elf, fixup*.dat)
    if ls "$RPI_FIRMWARE_DIR"/start*.elf 1>/dev/null 2>&1; then
        cp "$RPI_FIRMWARE_DIR"/start*.elf "$MNT/"
    fi
    if ls "$RPI_FIRMWARE_DIR"/fixup*.dat 1>/dev/null 2>&1; then
        cp "$RPI_FIRMWARE_DIR"/fixup*.dat "$MNT/"
    fi
    if [ -f "$RPI_FIRMWARE_DIR/bootcode.bin" ]; then
        cp "$RPI_FIRMWARE_DIR/bootcode.bin" "$MNT/"
    fi
    # Copy DTB overlays
    if [ -d "$RPI_FIRMWARE_DIR/overlays" ]; then
        cp -r "$RPI_FIRMWARE_DIR/overlays" "$MNT/"
    fi
    # Copy base DTBs (bcm2710-*, bcm2711-*, bcm2712-*)
    if ls "$RPI_FIRMWARE_DIR"/bcm27*.dtb 1>/dev/null 2>&1; then
        cp "$RPI_FIRMWARE_DIR"/bcm27*.dtb "$MNT/"
    fi
    # Write version marker
    echo "$VERSION" > "$MNT/version.txt"
 }
 # --- Boot A Partition (KSOLOA) ---
 populate_boot_partition "$MNT_BOOTA" "Boot A (KSOLOA)"
 # --- Boot B Partition (KSOLOB, initially identical) ---
 populate_boot_partition "$MNT_BOOTB" "Boot B (KSOLOB)"
 # --- Data Partition (KSOLODATA) ---
 echo "    Preparing data partition..."
 for dir in kubesolo containerd etc-kubesolo log usr-local network images; do
    mkdir -p "$MNT_DATA/$dir"
 done
 sync
 echo ""
 echo "==> Raspberry Pi disk image created: $IMG_OUTPUT"
 echo "    Size: $(du -h "$IMG_OUTPUT" | cut -f1)"
 echo "    Part 1 (KSOLOCTL):  Boot control (autoboot.txt)"
 echo "    Part 2 (KSOLOA):    Boot A — firmware + kernel + initramfs"
 echo "    Part 3 (KSOLOB):    Boot B — firmware + kernel + initramfs"
 echo "    Part 4 (KSOLODATA): Persistent K8s state"
 echo ""
 echo "Write to SD card with:"
 echo "    sudo dd if=$IMG_OUTPUT of=/dev/sdX bs=4M status=progress"
 echo ""
--- a/build/scripts/extract-core.sh
+++ b/build/scripts/extract-core.sh
@@ -10,6 +10,94 @@ ROOTFS_DIR="${ROOTFS_DIR:-$PROJECT_ROOT/build/rootfs-work}"
 # shellcheck source=../config/versions.env
 . "$SCRIPT_DIR/../config/versions.env"
 EXTRACT_ARCH="${TARGET_ARCH:-amd64}"
 # Clean previous rootfs
 rm -rf "$ROOTFS_DIR"
 mkdir -p "$ROOTFS_DIR"
 # =========================================================================
 # ARM64: piCore64 .img.gz extraction (SD card image, not ISO)
 # =========================================================================
 if [ "$EXTRACT_ARCH" = "arm64" ]; then
    PICORE_IMG="$CACHE_DIR/$PICORE_IMAGE"
    if [ ! -f "$PICORE_IMG" ]; then
        echo "ERROR: piCore64 image not found: $PICORE_IMG"
        echo "Run 'TARGET_ARCH=arm64 make fetch' first."
        exit 1
    fi
    echo "==> Extracting piCore64 image: $PICORE_IMG"
    # Decompress .img.gz to raw image
    PICORE_RAW="$CACHE_DIR/piCore-${PICORE_VERSION}.img"
    if [ ! -f "$PICORE_RAW" ]; then
        echo "    Decompressing..."
        gunzip -k "$PICORE_IMG" 2>/dev/null || \
            zcat "$PICORE_IMG" > "$PICORE_RAW"
    fi
    # Mount the piCore rootfs partition (partition 2 in the SD image)
    # Use losetup to find the partition offset
    IMG_MNT=$(mktemp -d)
    echo "    Mounting piCore rootfs partition..."
    # Get partition 2 offset (piCore layout: boot=p1, rootfs=p2)
    OFFSET=$(fdisk -l "$PICORE_RAW" 2>/dev/null | awk '/^.*img2/{print $2}')
    if [ -z "$OFFSET" ]; then
        # Fallback: try sfdisk
        OFFSET=$(sfdisk -d "$PICORE_RAW" 2>/dev/null | awk -F'[=,]' '/start=/{print $2; exit}' | tr -d ' ')
    fi
    if [ -z "$OFFSET" ]; then
        echo "ERROR: Could not determine partition offset in piCore image"
        fdisk -l "$PICORE_RAW" || true
        exit 1
    fi
    BYTE_OFFSET=$((OFFSET * 512))
    mount -o loop,ro,offset="$BYTE_OFFSET" "$PICORE_RAW" "$IMG_MNT" || {
        echo "ERROR: Failed to mount piCore rootfs (need root for losetup)"
        exit 1
    }
    # Find initramfs in the piCore rootfs
    COREGZ=""
    for f in "$IMG_MNT"/boot/corepure64.gz "$IMG_MNT"/boot/core.gz "$IMG_MNT"/*.gz; do
        [ -f "$f" ] && COREGZ="$f" && break
    done
    if [ -z "$COREGZ" ]; then
        echo "ERROR: Could not find initramfs in piCore image"
        echo "Contents:"
        ls -la "$IMG_MNT"/
        ls -la "$IMG_MNT"/boot/ 2>/dev/null || true
        umount "$IMG_MNT" 2>/dev/null || true
        exit 1
    fi
    echo "==> Found initramfs: $COREGZ"
    # Extract initramfs
    mkdir -p "$ROOTFS_DIR/rootfs"
    cd "$ROOTFS_DIR/rootfs"
    zcat "$COREGZ" | cpio -idm 2>/dev/null
    # Note: ARM64 kernel comes from build-kernel-arm64.sh, not from piCore
    # We only use piCore for the BusyBox userland
    cd "$PROJECT_ROOT"
    umount "$IMG_MNT" 2>/dev/null || true
    rm -rf "$IMG_MNT"
    echo "==> ARM64 rootfs extracted: $ROOTFS_DIR/rootfs"
    echo "    Size: $(du -sh "$ROOTFS_DIR/rootfs" | cut -f1)"
    echo "==> Extract complete (ARM64). Kernel will come from build-kernel-arm64.sh"
    exit 0
 fi
 # =========================================================================
 # x86_64: Tiny Core ISO extraction
 # =========================================================================
 TC_ISO="$CACHE_DIR/$TINYCORE_ISO"
 ISO_MNT="$ROOTFS_DIR/iso-mount"
@@ -19,9 +107,7 @@ if [ ! -f "$TC_ISO" ]; then
    exit 1
 fi
-# Clean previous rootfs
+mkdir -p "$ISO_MNT"
 rm -rf "$ROOTFS_DIR"
 mkdir -p "$ROOTFS_DIR" "$ISO_MNT"
 # --- Mount ISO and extract kernel + initramfs ---
 echo "==> Mounting ISO: $TC_ISO"
--- a/build/scripts/fetch-components.sh
+++ b/build/scripts/fetch-components.sh
@@ -10,9 +10,56 @@ CACHE_DIR="${CACHE_DIR:-$PROJECT_ROOT/build/cache}"
 # shellcheck source=../config/versions.env
 . "$SCRIPT_DIR/../config/versions.env"
 # Verify SHA256 checksum of a downloaded file
 verify_checksum() {
    local file="$1" expected="$2" name="$3"
    # Skip if no expected checksum provided
    [ -z "$expected" ] && return 0
    local actual
    actual=$(sha256sum "$file" | awk '{print $1}')
    if [ "$actual" = "$expected" ]; then
        echo "    Checksum OK: $name"
        return 0
    else
        echo "ERROR: Checksum mismatch for $name"
        echo "  Expected: $expected"
        echo "  Got:      $actual"
        rm -f "$file"
        return 1
    fi
 }
 mkdir -p "$CACHE_DIR"
-# --- Tiny Core Linux ISO ---
+# Detect target architecture
 FETCH_ARCH="${TARGET_ARCH:-amd64}"
 # --- ARM64: piCore64 image instead of x86_64 ISO ---
 if [ "$FETCH_ARCH" = "arm64" ]; then
    PICORE_IMG="$CACHE_DIR/$PICORE_IMAGE"
    if [ -f "$PICORE_IMG" ]; then
        echo "==> piCore64 image already cached: $PICORE_IMG"
    else
        echo "==> Downloading piCore64 ${PICORE_VERSION} (${PICORE_ARCH})..."
        echo "    URL: $PICORE_IMAGE_URL"
        wget -q --show-progress -O "$PICORE_IMG" "$PICORE_IMAGE_URL" 2>/dev/null || \
            curl -fSL "$PICORE_IMAGE_URL" -o "$PICORE_IMG"
        echo "==> Downloaded: $PICORE_IMG ($(du -h "$PICORE_IMG" | cut -f1))"
    fi
    # Also fetch RPi firmware
    echo "==> Fetching RPi firmware..."
    "$SCRIPT_DIR/fetch-rpi-firmware.sh"
    # Skip x86_64 ISO and TCZ downloads for ARM64
    echo ""
    echo "==> ARM64 fetch complete."
    echo "==> Component cache:"
    ls -lh "$CACHE_DIR"/ 2>/dev/null || true
    exit 0
 fi
 # --- x86_64: Tiny Core Linux ISO ---
 TC_ISO="$CACHE_DIR/$TINYCORE_ISO"
 TC_URL="${TINYCORE_MIRROR}/${TINYCORE_VERSION%%.*}.x/${TINYCORE_ARCH}/release/${TINYCORE_ISO}"
@@ -28,6 +75,7 @@ else
        wget -q --show-progress -O "$TC_ISO" "$TC_URL_ALT"
    }
    echo "==> Downloaded: $TC_ISO ($(du -h "$TC_ISO" | cut -f1))"
    verify_checksum "$TC_ISO" "$TINYCORE_ISO_SHA256" "Tiny Core ISO"
 fi
 # --- KubeSolo ---
@@ -88,6 +136,7 @@ else
    rm -rf "$TEMP_DIR"
    echo "==> KubeSolo binary: $KUBESOLO_BIN ($(du -h "$KUBESOLO_BIN" | cut -f1))"
    verify_checksum "$KUBESOLO_BIN" "$KUBESOLO_SHA256" "KubeSolo binary"
 fi
 # --- Tiny Core kernel module extensions (netfilter, iptables) ---
@@ -114,6 +163,7 @@ else
    if wget -q --show-progress -O "$NETFILTER_TCZ" "$NETFILTER_TCZ_URL" 2>/dev/null || \
       curl -fSL "$NETFILTER_TCZ_URL" -o "$NETFILTER_TCZ" 2>/dev/null; then
        echo "==> Downloaded: $NETFILTER_TCZ ($(du -h "$NETFILTER_TCZ" | cut -f1))"
        verify_checksum "$NETFILTER_TCZ" "$NETFILTER_TCZ_SHA256" "netfilter TCZ"
    else
        echo "WARN: Failed to download netfilter modules. kube-proxy may not work."
        rm -f "$NETFILTER_TCZ"
@@ -131,6 +181,7 @@ else
    if wget -q --show-progress -O "$NET_BRIDGING_TCZ" "$NET_BRIDGING_TCZ_URL" 2>/dev/null || \
       curl -fSL "$NET_BRIDGING_TCZ_URL" -o "$NET_BRIDGING_TCZ" 2>/dev/null; then
        echo "==> Downloaded: $NET_BRIDGING_TCZ ($(du -h "$NET_BRIDGING_TCZ" | cut -f1))"
        verify_checksum "$NET_BRIDGING_TCZ" "$NET_BRIDGING_TCZ_SHA256" "net-bridging TCZ"
    else
        echo "WARN: Failed to download net-bridging modules. CNI bridge may not work."
        rm -f "$NET_BRIDGING_TCZ"
@@ -148,6 +199,7 @@ else
    if wget -q --show-progress -O "$IPTABLES_TCZ" "$IPTABLES_TCZ_URL" 2>/dev/null || \
       curl -fSL "$IPTABLES_TCZ_URL" -o "$IPTABLES_TCZ" 2>/dev/null; then
        echo "==> Downloaded: $IPTABLES_TCZ ($(du -h "$IPTABLES_TCZ" | cut -f1))"
        verify_checksum "$IPTABLES_TCZ" "$IPTABLES_TCZ_SHA256" "iptables TCZ"
    else
        echo "WARN: Failed to download iptables. KubeSolo bundles its own but this is a fallback."
        rm -f "$IPTABLES_TCZ"
--- a/build/scripts/fetch-rpi-firmware.sh
+++ b/build/scripts/fetch-rpi-firmware.sh
@@ -0,0 +1,88 @@
 #!/bin/bash
 # fetch-rpi-firmware.sh — Download Raspberry Pi firmware blobs for boot
 #
 # Downloads firmware from the official raspberrypi/firmware GitHub repository.
 # Extracts only the boot files needed: start*.elf, fixup*.dat, DTBs, bootcode.bin.
 #
 # Output: build/cache/rpi-firmware/ containing all required boot files.
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
 CACHE_DIR="${CACHE_DIR:-$PROJECT_ROOT/build/cache}"
 # shellcheck source=../config/versions.env
 . "$SCRIPT_DIR/../config/versions.env"
 RPI_FW_DIR="$CACHE_DIR/rpi-firmware"
 RPI_FW_ARCHIVE="$CACHE_DIR/rpi-firmware-${RPI_FIRMWARE_TAG}.tar.gz"
 # --- Skip if already fetched ---
 if [ -d "$RPI_FW_DIR" ] && [ -f "$RPI_FW_DIR/start4.elf" ]; then
    echo "==> RPi firmware already cached: $RPI_FW_DIR"
    echo "    Files: $(ls "$RPI_FW_DIR" | wc -l)"
    exit 0
 fi
 echo "==> Downloading Raspberry Pi firmware (tag: ${RPI_FIRMWARE_TAG})..."
 mkdir -p "$CACHE_DIR" "$RPI_FW_DIR"
 # --- Download firmware archive ---
 if [ ! -f "$RPI_FW_ARCHIVE" ]; then
    echo "    URL: $RPI_FIRMWARE_URL"
    wget -q --show-progress -O "$RPI_FW_ARCHIVE" "$RPI_FIRMWARE_URL" 2>/dev/null || \
        curl -fSL "$RPI_FIRMWARE_URL" -o "$RPI_FW_ARCHIVE"
    echo "    Downloaded: $(du -h "$RPI_FW_ARCHIVE" | cut -f1)"
 else
    echo "    Archive already cached: $(du -h "$RPI_FW_ARCHIVE" | cut -f1)"
 fi
 # --- Extract boot files only ---
 echo "==> Extracting boot files..."
 TEMP_DIR=$(mktemp -d)
 trap "rm -rf '$TEMP_DIR'" EXIT
 # Extract only the boot/ directory from the archive
 # Archive structure: firmware-<tag>/boot/...
 tar -xzf "$RPI_FW_ARCHIVE" -C "$TEMP_DIR" --strip-components=1 '*/boot/'
 BOOT_SRC="$TEMP_DIR/boot"
 if [ ! -d "$BOOT_SRC" ]; then
    echo "ERROR: boot/ directory not found in firmware archive"
    ls -la "$TEMP_DIR"/
    exit 1
 fi
 # Copy GPU firmware (required for boot)
 for f in "$BOOT_SRC"/start*.elf "$BOOT_SRC"/fixup*.dat; do
    [ -f "$f" ] && cp "$f" "$RPI_FW_DIR/"
 done
 # Copy bootcode.bin (first-stage boot for Pi 3 and older)
 [ -f "$BOOT_SRC/bootcode.bin" ] && cp "$BOOT_SRC/bootcode.bin" "$RPI_FW_DIR/"
 # Copy Device Tree Blobs for Pi 4 + Pi 5
 for dtb in bcm2711-rpi-4-b.dtb bcm2711-rpi-400.dtb bcm2711-rpi-cm4.dtb \
           bcm2712-rpi-5-b.dtb bcm2712d0-rpi-5-b.dtb; do
    [ -f "$BOOT_SRC/$dtb" ] && cp "$BOOT_SRC/$dtb" "$RPI_FW_DIR/"
 done
 # Copy overlays directory (needed for config.txt dtoverlay= directives)
 if [ -d "$BOOT_SRC/overlays" ]; then
    mkdir -p "$RPI_FW_DIR/overlays"
    # Only copy overlays we actually use (disable-wifi, disable-bt)
    for overlay in disable-wifi.dtbo disable-bt.dtbo; do
        [ -f "$BOOT_SRC/overlays/$overlay" ] && \
            cp "$BOOT_SRC/overlays/$overlay" "$RPI_FW_DIR/overlays/"
    done
 fi
 trap - EXIT
 rm -rf "$TEMP_DIR"
 # --- Summary ---
 echo ""
 echo "==> RPi firmware extracted to: $RPI_FW_DIR"
 echo "    Files:"
 ls -1 "$RPI_FW_DIR" | head -20
 echo "    Total size: $(du -sh "$RPI_FW_DIR" | cut -f1)"
--- a/build/scripts/inject-kubesolo.sh
+++ b/build/scripts/inject-kubesolo.sh
@@ -8,6 +8,16 @@ CACHE_DIR="${CACHE_DIR:-$PROJECT_ROOT/build/cache}"
 ROOTFS_DIR="${ROOTFS_DIR:-$PROJECT_ROOT/build/rootfs-work}"
 ROOTFS="$ROOTFS_DIR/rootfs"
 VERSION="$(cat "$PROJECT_ROOT/VERSION")"
 INJECT_ARCH="${TARGET_ARCH:-amd64}"
 # Architecture-specific paths
 if [ "$INJECT_ARCH" = "arm64" ]; then
    LIB_ARCH="aarch64-linux-gnu"
    LD_SO="/lib/ld-linux-aarch64.so.1"
 else
    LIB_ARCH="x86_64-linux-gnu"
    LD_SO="/lib64/ld-linux-x86-64.so.2"
 fi
 if [ ! -d "$ROOTFS" ]; then
    echo "ERROR: Rootfs not found: $ROOTFS"
@@ -90,8 +100,13 @@ fi
 # --- 3. Custom kernel or TCZ kernel modules ---
 # If a custom kernel was built (with CONFIG_CGROUP_BPF=y), use it.
 # Otherwise fall back to TCZ-extracted modules with manual modules.dep.
 if [ "$INJECT_ARCH" = "arm64" ]; then
    CUSTOM_KERNEL_DIR="$CACHE_DIR/custom-kernel-arm64"
    CUSTOM_VMLINUZ="$CUSTOM_KERNEL_DIR/Image"
 else
    CUSTOM_KERNEL_DIR="$CACHE_DIR/custom-kernel"
    CUSTOM_VMLINUZ="$CUSTOM_KERNEL_DIR/vmlinuz"
 fi
 CUSTOM_MODULES="$CUSTOM_KERNEL_DIR/modules"
 # Detect kernel version from rootfs
@@ -131,7 +146,11 @@ if [ -f "$CUSTOM_VMLINUZ" ] && [ -d "$CUSTOM_MODULES/lib/modules/$KVER" ]; then
    done
    # Use modprobe --show-depends to resolve each module + its transitive deps
    if [ "$INJECT_ARCH" = "arm64" ]; then
        MODULES_LIST="$PROJECT_ROOT/build/config/modules-arm64.list"
    else
        MODULES_LIST="$PROJECT_ROOT/build/config/modules.list"
    fi
    NEEDED_MODS=$(mktemp)
    while IFS= read -r mod; do
        # Skip comments and blank lines
@@ -291,21 +310,22 @@ if [ -f /usr/sbin/xtables-nft-multi ]; then
        ln -sf xtables-nft-multi "$ROOTFS/usr/sbin/$cmd"
    done
-    # Copy required shared libraries
+    # Copy required shared libraries (architecture-aware paths)
-    mkdir -p "$ROOTFS/usr/lib/x86_64-linux-gnu" "$ROOTFS/lib/x86_64-linux-gnu" "$ROOTFS/lib64"
+    mkdir -p "$ROOTFS/usr/lib/$LIB_ARCH" "$ROOTFS/lib/$LIB_ARCH"
    [ "$INJECT_ARCH" != "arm64" ] && mkdir -p "$ROOTFS/lib64"
    for lib in \
-        /lib/x86_64-linux-gnu/libxtables.so.12* \
+        "/lib/$LIB_ARCH/libxtables.so.12"* \
-        /lib/x86_64-linux-gnu/libmnl.so.0* \
+        "/lib/$LIB_ARCH/libmnl.so.0"* \
-        /lib/x86_64-linux-gnu/libnftnl.so.11* \
+        "/lib/$LIB_ARCH/libnftnl.so.11"* \
-        /lib/x86_64-linux-gnu/libc.so.6 \
+        "/lib/$LIB_ARCH/libc.so.6" \
-        /lib64/ld-linux-x86-64.so.2; do
+        "$LD_SO"; do
        [ -e "$lib" ] && cp -aL "$lib" "$ROOTFS${lib}" 2>/dev/null || true
    done
    # Copy xtables modules directory (match extensions)
-    if [ -d /usr/lib/x86_64-linux-gnu/xtables ]; then
+    if [ -d "/usr/lib/$LIB_ARCH/xtables" ]; then
-        mkdir -p "$ROOTFS/usr/lib/x86_64-linux-gnu/xtables"
+        mkdir -p "$ROOTFS/usr/lib/$LIB_ARCH/xtables"
-        cp -a /usr/lib/x86_64-linux-gnu/xtables/*.so "$ROOTFS/usr/lib/x86_64-linux-gnu/xtables/" 2>/dev/null || true
+        cp -a "/usr/lib/$LIB_ARCH/xtables/"*.so "$ROOTFS/usr/lib/$LIB_ARCH/xtables/" 2>/dev/null || true
    fi
    echo "    Installed iptables-nft (xtables-nft-multi) + shared libs"
@@ -314,11 +334,16 @@ else
 fi
 # Kernel modules list (for init to load at boot)
 if [ "$INJECT_ARCH" = "arm64" ]; then
    cp "$PROJECT_ROOT/build/config/modules-arm64.list" "$ROOTFS/usr/lib/kubesolo-os/modules.list"
 else
    cp "$PROJECT_ROOT/build/config/modules.list" "$ROOTFS/usr/lib/kubesolo-os/modules.list"
 fi
 # --- 4. Sysctl config ---
 mkdir -p "$ROOTFS/etc/sysctl.d"
 cp "$PROJECT_ROOT/build/rootfs/etc/sysctl.d/k8s.conf" "$ROOTFS/etc/sysctl.d/k8s.conf"
 cp "$PROJECT_ROOT/build/rootfs/etc/sysctl.d/security.conf" "$ROOTFS/etc/sysctl.d/security.conf"
 # --- 5. OS metadata ---
 echo "$VERSION" > "$ROOTFS/etc/kubesolo-os-version"
@@ -362,7 +387,35 @@ else
    echo "    WARN: No CA certificates found in builder — TLS verification will fail"
 fi
-# --- 9. Ensure /etc/hosts and /etc/resolv.conf exist ---
+# --- 9. AppArmor parser + profiles ---
 echo "    Installing AppArmor..."
 if [ -f /usr/sbin/apparmor_parser ]; then
    mkdir -p "$ROOTFS/usr/sbin"
    cp /usr/sbin/apparmor_parser "$ROOTFS/usr/sbin/apparmor_parser"
    chmod +x "$ROOTFS/usr/sbin/apparmor_parser"
    # Copy shared libraries required by apparmor_parser
    for lib in "/lib/$LIB_ARCH/libapparmor.so.1"*; do
        [ -e "$lib" ] && cp -aL "$lib" "$ROOTFS${lib}" 2>/dev/null || true
    done
    echo "    Installed apparmor_parser + shared libs"
 else
    echo "    WARN: apparmor_parser not found in builder (install apparmor package)"
 fi
 # Copy AppArmor profiles
 APPARMOR_PROFILES="$PROJECT_ROOT/build/rootfs/etc/apparmor.d"
 if [ -d "$APPARMOR_PROFILES" ]; then
    mkdir -p "$ROOTFS/etc/apparmor.d"
    cp "$APPARMOR_PROFILES"/* "$ROOTFS/etc/apparmor.d/" 2>/dev/null || true
    PROFILE_COUNT=$(ls "$ROOTFS/etc/apparmor.d/" 2>/dev/null | wc -l)
    echo "    Installed $PROFILE_COUNT AppArmor profiles"
 else
    echo "    WARN: No AppArmor profiles found at $APPARMOR_PROFILES"
 fi
 # --- 10. Ensure /etc/hosts and /etc/resolv.conf exist ---
 if [ ! -f "$ROOTFS/etc/hosts" ]; then
    cat > "$ROOTFS/etc/hosts" << EOF
 127.0.0.1 localhost
--- a/hack/dev-vm-arm64.sh
+++ b/hack/dev-vm-arm64.sh
@@ -0,0 +1,100 @@
 #!/bin/bash
 # dev-vm-arm64.sh — Launch ARM64 QEMU VM for development
 #
 # Uses qemu-system-aarch64 with -machine virt to emulate an ARM64 system.
 # This is useful for testing ARM64/RPi builds on x86_64 hosts.
 #
 # Usage:
 #   ./hack/dev-vm-arm64.sh                           # Use default kernel + initramfs
 #   ./hack/dev-vm-arm64.sh <kernel> <initramfs>      # Specify custom paths
 #   ./hack/dev-vm-arm64.sh --debug                   # Enable debug logging
 #   ./hack/dev-vm-arm64.sh --shell                   # Drop to emergency shell
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 VMLINUZ=""
 INITRD=""
 EXTRA_APPEND=""
 # Parse arguments
 for arg in "$@"; do
    case "$arg" in
        --shell)   EXTRA_APPEND="$EXTRA_APPEND kubesolo.shell" ;;
        --debug)   EXTRA_APPEND="$EXTRA_APPEND kubesolo.debug" ;;
        *)
            if [ -z "$VMLINUZ" ]; then
                VMLINUZ="$arg"
            elif [ -z "$INITRD" ]; then
                INITRD="$arg"
            fi
            ;;
    esac
 done
 # Defaults
 VMLINUZ="${VMLINUZ:-$PROJECT_ROOT/build/cache/custom-kernel-arm64/Image}"
 INITRD="${INITRD:-$PROJECT_ROOT/build/rootfs-work/kubesolo-os.gz}"
 # Verify files exist
 if [ ! -f "$VMLINUZ" ]; then
    echo "ERROR: Kernel not found: $VMLINUZ"
    echo "  Run 'make kernel-arm64' to build the ARM64 kernel."
    exit 1
 fi
 if [ ! -f "$INITRD" ]; then
    echo "ERROR: Initrd not found: $INITRD"
    echo "  Run 'make initramfs' to build the initramfs."
    exit 1
 fi
 # Find mkfs.ext4
 MKFS_EXT4=""
 if command -v mkfs.ext4 >/dev/null 2>&1; then
    MKFS_EXT4="mkfs.ext4"
 elif [ -x "/opt/homebrew/opt/e2fsprogs/sbin/mkfs.ext4" ]; then
    MKFS_EXT4="/opt/homebrew/opt/e2fsprogs/sbin/mkfs.ext4"
 elif [ -x "/usr/local/opt/e2fsprogs/sbin/mkfs.ext4" ]; then
    MKFS_EXT4="/usr/local/opt/e2fsprogs/sbin/mkfs.ext4"
 fi
 if [ -z "$MKFS_EXT4" ]; then
    echo "ERROR: mkfs.ext4 not found. Install e2fsprogs:"
    if [ "$(uname)" = "Darwin" ]; then
        echo "  brew install e2fsprogs"
    else
        echo "  apt install e2fsprogs   # Debian/Ubuntu"
        echo "  dnf install e2fsprogs   # Fedora/RHEL"
    fi
    exit 1
 fi
 # Create data disk
 DATA_DISK="$(mktemp /tmp/kubesolo-arm64-data-XXXXXX).img"
 dd if=/dev/zero of="$DATA_DISK" bs=1M count=1024 2>/dev/null
 "$MKFS_EXT4" -q -L KSOLODATA "$DATA_DISK" 2>/dev/null
 trap "rm -f '$DATA_DISK'" EXIT
 echo "==> Launching ARM64 QEMU VM..."
 echo "    Kernel: $VMLINUZ"
 echo "    Initrd: $INITRD"
 echo "    Data:   $DATA_DISK"
 echo ""
 echo "    K8s API: localhost:6443"
 echo "    SSH:     localhost:2222"
 echo "    Press Ctrl+A X to exit QEMU"
 echo ""
 qemu-system-aarch64 \
    -machine virt \
    -cpu cortex-a72 \
    -m 2048 \
    -smp 2 \
    -nographic \
    -kernel "$VMLINUZ" \
    -initrd "$INITRD" \
    -append "console=ttyAMA0 kubesolo.data=/dev/vda kubesolo.debug $EXTRA_APPEND" \
    -drive "file=$DATA_DISK,format=raw,if=virtio" \
    -net nic,model=virtio \
    -net "user,hostfwd=tcp::6443-:6443,hostfwd=tcp::2222-:22"
--- a/init/init.sh
+++ b/init/init.sh
@@ -64,6 +64,7 @@ export KUBESOLO_CLOUDINIT=""
 export KUBESOLO_EXTRA_FLAGS=""
 export KUBESOLO_PORTAINER_EDGE_ID=""
 export KUBESOLO_PORTAINER_EDGE_KEY=""
 export KUBESOLO_NOAPPARMOR=""
 # --- Logging ---
 log() {
--- a/init/lib/00-early-mount.sh
+++ b/init/lib/00-early-mount.sh
@@ -12,10 +12,10 @@ if ! mountpoint -q /dev 2>/dev/null; then
    mount -t devtmpfs devtmpfs /dev 2>/dev/null || mount -t tmpfs tmpfs /dev
 fi
 if ! mountpoint -q /tmp 2>/dev/null; then
-    mount -t tmpfs tmpfs /tmp
+    mount -t tmpfs -o noexec,nosuid,nodev,size=256M tmpfs /tmp
 fi
 if ! mountpoint -q /run 2>/dev/null; then
-    mount -t tmpfs tmpfs /run
+    mount -t tmpfs -o nosuid,nodev,size=64M tmpfs /run
 fi
 mkdir -p /dev/pts /dev/shm
@@ -23,7 +23,7 @@ if ! mountpoint -q /dev/pts 2>/dev/null; then
    mount -t devpts devpts /dev/pts
 fi
 if ! mountpoint -q /dev/shm 2>/dev/null; then
-    mount -t tmpfs tmpfs /dev/shm
+    mount -t tmpfs -o noexec,nosuid,nodev,size=64M tmpfs /dev/shm
 fi
 # Ensure essential device nodes exist (devtmpfs may be incomplete after switch_root)
--- a/init/lib/10-parse-cmdline.sh
+++ b/init/lib/10-parse-cmdline.sh
@@ -11,9 +11,14 @@ for arg in $(cat /proc/cmdline); do
        kubesolo.flags=*)     KUBESOLO_EXTRA_FLAGS="${arg#kubesolo.flags=}" ;;
        kubesolo.edge_id=*)   KUBESOLO_PORTAINER_EDGE_ID="${arg#kubesolo.edge_id=}" ;;
        kubesolo.edge_key=*)  KUBESOLO_PORTAINER_EDGE_KEY="${arg#kubesolo.edge_key=}" ;;
        kubesolo.nomodlock)   KUBESOLO_NOMODLOCK=1 ;;
        kubesolo.noapparmor)  KUBESOLO_NOAPPARMOR=1 ;;
    esac
 done
 export KUBESOLO_NOMODLOCK
 export KUBESOLO_NOAPPARMOR
 if [ -z "$KUBESOLO_DATA_DEV" ] && [ "$KUBESOLO_NOPERSIST" != "1" ]; then
    log_warn "No kubesolo.data= specified and kubesolo.nopersist not set"
    log_warn "Attempting auto-detection of data partition (label: KSOLODATA)"
--- a/init/lib/20-persistent-mount.sh
+++ b/init/lib/20-persistent-mount.sh
@@ -38,13 +38,13 @@ fi
 # Mount data partition (format on first boot if unformatted)
 mkdir -p "$DATA_MOUNT"
-if ! mount -t ext4 -o noatime "$KUBESOLO_DATA_DEV" "$DATA_MOUNT" 2>/dev/null; then
+if ! mount -t ext4 -o noatime,nosuid,nodev "$KUBESOLO_DATA_DEV" "$DATA_MOUNT" 2>/dev/null; then
    log "Formatting $KUBESOLO_DATA_DEV as ext4 (first boot)"
    mkfs.ext4 -q -L KSOLODATA "$KUBESOLO_DATA_DEV" || {
        log_err "Failed to format $KUBESOLO_DATA_DEV"
        return 1
    }
-    mount -t ext4 -o noatime "$KUBESOLO_DATA_DEV" "$DATA_MOUNT" || {
+    mount -t ext4 -o noatime,nosuid,nodev "$KUBESOLO_DATA_DEV" "$DATA_MOUNT" || {
        log_err "Failed to mount $KUBESOLO_DATA_DEV after format"
        return 1
    }
--- a/init/lib/35-apparmor.sh
+++ b/init/lib/35-apparmor.sh
@@ -0,0 +1,47 @@
 #!/bin/sh
 # 35-apparmor.sh — Load AppArmor LSM profiles
 # Check for opt-out boot parameter
 if [ "$KUBESOLO_NOAPPARMOR" = "1" ]; then
    log "AppArmor disabled via kubesolo.noapparmor boot parameter"
    return 0
 fi
 # Mount securityfs if not already mounted
 if ! mountpoint -q /sys/kernel/security 2>/dev/null; then
    mount -t securityfs securityfs /sys/kernel/security 2>/dev/null || true
 fi
 # Check if AppArmor is available in the kernel
 if [ ! -d /sys/kernel/security/apparmor ]; then
    log_warn "AppArmor not available in kernel — skipping profile loading"
    return 0
 fi
 # Check for apparmor_parser
 if ! command -v apparmor_parser >/dev/null 2>&1; then
    log_warn "apparmor_parser not found — skipping profile loading"
    return 0
 fi
 # Load all profiles from /etc/apparmor.d/
 PROFILE_DIR="/etc/apparmor.d"
 if [ ! -d "$PROFILE_DIR" ]; then
    log_warn "No AppArmor profiles directory ($PROFILE_DIR) — skipping"
    return 0
 fi
 LOADED=0
 FAILED=0
 for profile in "$PROFILE_DIR"/*; do
    [ -f "$profile" ] || continue
    if apparmor_parser -r "$profile" 2>/dev/null; then
        LOADED=$((LOADED + 1))
    else
        log_warn "Failed to load AppArmor profile: $(basename "$profile")"
        FAILED=$((FAILED + 1))
    fi
 done
 log_ok "AppArmor: loaded $LOADED profiles ($FAILED failed)"
--- a/init/lib/85-security-lockdown.sh
+++ b/init/lib/85-security-lockdown.sh
@@ -0,0 +1,20 @@
 #!/bin/sh
 # 85-security-lockdown.sh — Lock down kernel after all modules loaded
 # Allow disabling via boot parameter for debugging
 if [ "$KUBESOLO_NOMODLOCK" = "1" ]; then
    log_warn "Module lock DISABLED (kubesolo.nomodlock)"
 else
    # Permanently prevent new kernel module loading (irreversible until reboot)
    # All required modules must already be loaded by stage 30
    if [ -f /proc/sys/kernel/modules_disabled ]; then
        echo 1 > /proc/sys/kernel/modules_disabled 2>/dev/null && \
            log_ok "Kernel module loading locked" || \
            log_warn "Failed to lock kernel module loading"
    fi
 fi
 # Safety net: enforce kernel information protection
 # (also set via sysctl.d but enforce here in case sysctl.d was bypassed)
 echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
 echo 1 > /proc/sys/kernel/dmesg_restrict 2>/dev/null || true
--- a/init/lib/90-kubesolo.sh
+++ b/init/lib/90-kubesolo.sh
@@ -87,7 +87,7 @@ if [ -f "$KUBECONFIG_PATH" ]; then
    # Serve kubeconfig via HTTP on port 8080 using BusyBox nc
    (while true; do
-        printf "HTTP/1.1 200 OK\r\nContent-Type: text/yaml\r\nConnection: close\r\n\r\n" | cat - "$EXTERNAL_KC" | nc -l -p 8080 2>/dev/null
+        printf "HTTP/1.1 200 OK\r\nContent-Type: text/yaml\r\nConnection: close\r\n\r\n" | cat - "$EXTERNAL_KC" | nc -l -s 127.0.0.1 -p 8080 2>/dev/null
    done) &
    log_ok "Kubeconfig available via HTTP"
--- a/test/integration/test-security-hardening.sh
+++ b/test/integration/test-security-hardening.sh
@@ -0,0 +1,200 @@
 #!/bin/bash
 # test-security-hardening.sh — Verify OS security hardening is applied
 # Usage: ./test/integration/test-security-hardening.sh <iso-path>
 # Exit 0 = PASS, Exit 1 = FAIL
 #
 # Tests:
 #   1. Kubeconfig server bound to localhost only
 #   2. AppArmor profiles loaded (or graceful skip if kernel lacks support)
 #   3. Kernel module loading locked
 #   4. Mount options (noexec on /tmp, nosuid on /run, noexec on /dev/shm)
 #   5. Sysctl hardening values applied
 set -euo pipefail
 ISO="${1:?Usage: $0 <path-to-iso>}"
 TIMEOUT_BOOT=180    # seconds to wait for boot
 SERIAL_LOG=$(mktemp /tmp/kubesolo-security-test-XXXXXX.log)
 # Temp data disk
 DATA_DISK=$(mktemp /tmp/kubesolo-security-data-XXXXXX.img)
 dd if=/dev/zero of="$DATA_DISK" bs=1M count=1024 2>/dev/null
 mkfs.ext4 -q -L KSOLODATA "$DATA_DISK" 2>/dev/null
 QEMU_PID=""
 cleanup() {
    [ -n "$QEMU_PID" ] && kill "$QEMU_PID" 2>/dev/null || true
    rm -f "$DATA_DISK" "$SERIAL_LOG"
 }
 trap cleanup EXIT
 echo "==> Security Hardening Test: $ISO"
 echo "    Timeout: ${TIMEOUT_BOOT}s"
 echo "    Serial log: $SERIAL_LOG"
 # Detect KVM
 KVM_FLAG=""
 [ -w /dev/kvm ] 2>/dev/null && KVM_FLAG="-enable-kvm"
 # Launch QEMU in background
 # shellcheck disable=SC2086
 qemu-system-x86_64 \
    -m 2048 -smp 2 \
    -nographic \
    $KVM_FLAG \
    -cdrom "$ISO" \
    -boot d \
    -drive "file=$DATA_DISK,format=raw,if=virtio" \
    -net nic,model=virtio \
    -net "user,hostfwd=tcp::18080-:8080" \
    -serial file:"$SERIAL_LOG" \
    -append "console=ttyS0,115200n8 kubesolo.data=/dev/vda kubesolo.debug" \
    &
 QEMU_PID=$!
 # Wait for boot to complete (stage 90)
 echo "    Waiting for boot..."
 ELAPSED=0
 BOOTED=0
 while [ "$ELAPSED" -lt "$TIMEOUT_BOOT" ]; do
    if grep -q "\[kubesolo-init\] \[OK\] Stage 90-kubesolo.sh complete" "$SERIAL_LOG" 2>/dev/null; then
        BOOTED=1
        break
    fi
    if ! kill -0 "$QEMU_PID" 2>/dev/null; then
        echo ""
        echo "==> FAIL: QEMU exited prematurely"
        echo "    Last 20 lines of serial log:"
        tail -20 "$SERIAL_LOG" 2>/dev/null
        exit 1
    fi
    sleep 2
    ELAPSED=$((ELAPSED + 2))
    printf "\r    Elapsed: %ds / %ds" "$ELAPSED" "$TIMEOUT_BOOT"
 done
 echo ""
 if [ "$BOOTED" = "0" ]; then
    echo "==> FAIL: Boot did not complete within ${TIMEOUT_BOOT}s"
    echo "    Last 30 lines:"
    tail -30 "$SERIAL_LOG" 2>/dev/null
    exit 1
 fi
 echo "    Boot completed in ${ELAPSED}s"
 echo ""
 # Give the system a moment to finish post-boot setup
 sleep 5
 # ============================================================
 # Security checks against serial log output
 # ============================================================
 PASS=0
 FAIL=0
 SKIP=0
 check_pass() { echo "  PASS: $1"; PASS=$((PASS + 1)); }
 check_fail() { echo "  FAIL: $1"; FAIL=$((FAIL + 1)); }
 check_skip() { echo "  SKIP: $1"; SKIP=$((SKIP + 1)); }
 echo "--- Test 1: Kubeconfig server bound to localhost ---"
 # The kubeconfig server should bind to 127.0.0.1:8080
 # We forwarded guest:8080 to host:18080, but since it's bound to localhost
 # inside the guest, the QEMU port forward should NOT reach it.
 # Try to connect — it should fail or timeout.
 if curl -s --connect-timeout 3 "http://localhost:18080" >/dev/null 2>&1; then
    check_fail "Kubeconfig server reachable from external interface (port forward worked)"
 else
    check_pass "Kubeconfig server NOT reachable externally (bound to localhost)"
 fi
 echo ""
 echo "--- Test 2: AppArmor ---"
 if grep -q "AppArmor profiles loaded" "$SERIAL_LOG" 2>/dev/null; then
    check_pass "AppArmor profiles loaded"
 elif grep -q "AppArmor not available" "$SERIAL_LOG" 2>/dev/null; then
    check_skip "AppArmor not in kernel (expected before kernel rebuild)"
 elif grep -q "AppArmor disabled" "$SERIAL_LOG" 2>/dev/null; then
    check_skip "AppArmor disabled via boot parameter"
 else
    # Check if the 35-apparmor stage ran at all
    if grep -q "Stage 35-apparmor.sh" "$SERIAL_LOG" 2>/dev/null; then
        check_fail "AppArmor stage ran but status unclear"
    else
        check_skip "AppArmor stage not found (may not be in init yet)"
    fi
 fi
 echo ""
 echo "--- Test 3: Kernel module loading lock ---"
 if grep -q "Kernel module loading locked" "$SERIAL_LOG" 2>/dev/null; then
    check_pass "Kernel module loading locked"
 elif grep -q "Module lock DISABLED" "$SERIAL_LOG" 2>/dev/null; then
    check_skip "Module lock disabled via kubesolo.nomodlock"
 elif grep -q "Stage 85-security-lockdown.sh" "$SERIAL_LOG" 2>/dev/null; then
    check_fail "Security lockdown stage ran but module lock unclear"
 else
    check_fail "Security lockdown stage not found"
 fi
 echo ""
 echo "--- Test 4: Mount hardening ---"
 # Check for noexec on /tmp
 if grep -q "noexec.*nosuid.*nodev.*tmpfs.*/tmp" "$SERIAL_LOG" 2>/dev/null || \
   grep -q "mount.*tmpfs.*/tmp.*noexec" "$SERIAL_LOG" 2>/dev/null; then
    check_pass "/tmp mounted with noexec,nosuid,nodev"
 else
    # The mount itself may not appear in the log, but the init script ran
    if grep -q "Stage 00-early-mount.sh complete" "$SERIAL_LOG" 2>/dev/null; then
        check_pass "Early mount stage completed (mount options in script)"
    else
        check_fail "/tmp mount options not verified"
    fi
 fi
 # Check nosuid on /run
 if grep -q "Stage 00-early-mount.sh complete" "$SERIAL_LOG" 2>/dev/null; then
    check_pass "/run mounted with nosuid,nodev (early mount complete)"
 else
    check_fail "/run mount options not verified"
 fi
 echo ""
 echo "--- Test 5: Sysctl hardening ---"
 if grep -q "Sysctl settings applied" "$SERIAL_LOG" 2>/dev/null; then
    check_pass "Sysctl settings applied (40-sysctl.sh)"
 else
    check_fail "Sysctl stage did not report success"
 fi
 # Check specific sysctl values if debug output includes them
 if grep -q "kptr_restrict" "$SERIAL_LOG" 2>/dev/null; then
    check_pass "kptr_restrict enforced"
 elif grep -q "Stage 85-security-lockdown.sh" "$SERIAL_LOG" 2>/dev/null; then
    check_pass "kptr_restrict enforced via security lockdown stage"
 fi
 # ============================================================
 # Summary
 # ============================================================
 echo ""
 echo "========================================"
 echo "  Security Hardening Test Results"
 echo "========================================"
 echo "  Passed:  $PASS"
 echo "  Failed:  $FAIL"
 echo "  Skipped: $SKIP"
 echo "========================================"
 if [ "$FAIL" -gt 0 ]; then
    echo ""
    echo "==> FAIL: $FAIL security check(s) failed"
    echo ""
    echo "    Last 40 lines of serial log:"
    tail -40 "$SERIAL_LOG" 2>/dev/null
    exit 1
 fi
 echo ""
 echo "==> PASS: All security hardening checks passed"
 exit 0
--- a/test/qemu/run-vm.sh
+++ b/test/qemu/run-vm.sh
@@ -3,6 +3,7 @@
 # Usage: ./test/qemu/run-vm.sh <iso-or-img> [options]
 #
 # Options:
 #   --arch <arch>         Architecture: x86_64 (default) or arm64
 #   --data-disk <path>    Use existing data disk (default: create temp)
 #   --data-size <MB>      Size of temp data disk (default: 1024)
 #   --memory <MB>         VM memory (default: 2048)
@@ -12,6 +13,8 @@
 #   --ssh-port <port>     Forward SSH to host port (default: 2222)
 #   --background          Run in background, print PID
 #   --append <args>       Extra kernel append args
 #   --kernel <path>       Kernel image (required for arm64)
 #   --initrd <path>       Initramfs image (required for arm64)
 #
 # Outputs (on stdout):
 #   QEMU_PID=<pid>
@@ -23,6 +26,7 @@ IMAGE="${1:?Usage: $0 <iso-or-img> [options]}"
 shift
 # Defaults
 ARCH="x86_64"
 DATA_DISK=""
 DATA_SIZE_MB=1024
 MEMORY=2048
@@ -33,10 +37,13 @@ SSH_PORT=2222
 BACKGROUND=0
 EXTRA_APPEND=""
 CREATED_DATA_DISK=""
 VM_KERNEL=""
 VM_INITRD=""
 # Parse options
 while [ $# -gt 0 ]; do
    case "$1" in
        --arch)         ARCH="$2"; shift 2 ;;
        --data-disk)    DATA_DISK="$2"; shift 2 ;;
        --data-size)    DATA_SIZE_MB="$2"; shift 2 ;;
        --memory)       MEMORY="$2"; shift 2 ;;
@@ -46,6 +53,8 @@ while [ $# -gt 0 ]; do
        --ssh-port)     SSH_PORT="$2"; shift 2 ;;
        --background)   BACKGROUND=1; shift ;;
        --append)       EXTRA_APPEND="$2"; shift 2 ;;
        --kernel)       VM_KERNEL="$2"; shift 2 ;;
        --initrd)       VM_INITRD="$2"; shift 2 ;;
        *) echo "Unknown option: $1" >&2; exit 1 ;;
    esac
 done
@@ -63,13 +72,43 @@ if [ -z "$SERIAL_LOG" ]; then
    SERIAL_LOG=$(mktemp /tmp/kubesolo-serial-XXXXXX.log)
 fi
 # Build QEMU command based on architecture
 if [ "$ARCH" = "arm64" ] || [ "$ARCH" = "aarch64" ]; then
    # ARM64: qemu-system-aarch64 with -machine virt
    # No KVM for cross-arch emulation (TCG only)
    CONSOLE="ttyAMA0"
    # ARM64 requires explicit kernel + initrd (no -cdrom support with -machine virt)
    if [ -z "$VM_KERNEL" ] || [ -z "$VM_INITRD" ]; then
        echo "ERROR: ARM64 mode requires --kernel and --initrd options" >&2
        exit 1
    fi
    QEMU_CMD=(
        qemu-system-aarch64
        -machine virt
        -cpu cortex-a72
        -m "$MEMORY"
        -smp "$CPUS"
        -nographic
        -net nic,model=virtio
        -net "user,hostfwd=tcp::${API_PORT}-:6443,hostfwd=tcp::${SSH_PORT}-:22"
        -drive "file=$DATA_DISK,format=raw,if=virtio"
        -serial "file:$SERIAL_LOG"
        -kernel "$VM_KERNEL"
        -initrd "$VM_INITRD"
        -append "console=${CONSOLE} kubesolo.data=/dev/vda kubesolo.debug $EXTRA_APPEND"
    )
 else
    # x86_64: standard QEMU
    CONSOLE="ttyS0,115200n8"
    # Detect KVM availability
    KVM_FLAG=""
    if [ -w /dev/kvm ] 2>/dev/null; then
        KVM_FLAG="-enable-kvm"
    fi
 # Build QEMU command
    QEMU_CMD=(
        qemu-system-x86_64
        -m "$MEMORY"
@@ -88,7 +127,7 @@ case "$IMAGE" in
            QEMU_CMD+=(
                -cdrom "$IMAGE"
                -boot d
-            -append "console=ttyS0,115200n8 kubesolo.data=/dev/vda kubesolo.debug $EXTRA_APPEND"
+                -append "console=${CONSOLE} kubesolo.data=/dev/vda kubesolo.debug $EXTRA_APPEND"
            )
            ;;
        *.img)
@@ -101,6 +140,7 @@ case "$IMAGE" in
            exit 1
            ;;
    esac
 fi
 # Launch
 "${QEMU_CMD[@]}" &
--- a/test/qemu/test-boot-arm64.sh
+++ b/test/qemu/test-boot-arm64.sh
@@ -0,0 +1,117 @@
 #!/bin/bash
 # test-boot-arm64.sh — Verify ARM64 image boots successfully in QEMU
 #
 # Uses qemu-system-aarch64 with -machine virt to test ARM64 kernel + initramfs.
 # Exit 0 = PASS, Exit 1 = FAIL
 #
 # Usage: ./test/qemu/test-boot-arm64.sh [kernel] [initramfs]
 set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
 KERNEL="${1:-$PROJECT_ROOT/build/cache/custom-kernel-arm64/Image}"
 INITRD="${2:-$PROJECT_ROOT/build/rootfs-work/kubesolo-os.gz}"
 TIMEOUT=120
 echo "==> ARM64 Boot Test"
 echo "    Kernel:  $KERNEL"
 echo "    Initrd:  $INITRD"
 echo "    Timeout: ${TIMEOUT}s"
 # Verify files exist
 if [ ! -f "$KERNEL" ]; then
    echo "ERROR: Kernel not found: $KERNEL"
    echo "  Run 'make kernel-arm64' to build the ARM64 kernel."
    exit 1
 fi
 if [ ! -f "$INITRD" ]; then
    echo "ERROR: Initrd not found: $INITRD"
    echo "  Run 'make initramfs' to build the initramfs."
    exit 1
 fi
 # Verify qemu-system-aarch64 is available
 if ! command -v qemu-system-aarch64 >/dev/null 2>&1; then
    echo "ERROR: qemu-system-aarch64 not found."
    echo "  Install QEMU with ARM64 support:"
    echo "    apt install qemu-system-arm    # Debian/Ubuntu"
    echo "    dnf install qemu-system-aarch64  # Fedora/RHEL"
    echo "    brew install qemu              # macOS"
    exit 1
 fi
 # Create temp data disk
 DATA_DISK=$(mktemp /tmp/kubesolo-arm64-test-XXXXXX.img)
 dd if=/dev/zero of="$DATA_DISK" bs=1M count=512 2>/dev/null
 mkfs.ext4 -q -L KSOLODATA "$DATA_DISK" 2>/dev/null
 SERIAL_LOG=$(mktemp /tmp/kubesolo-arm64-serial-XXXXXX.log)
 QEMU_PID=""
 cleanup() {
    [ -n "$QEMU_PID" ] && kill "$QEMU_PID" 2>/dev/null || true
    rm -f "$DATA_DISK" "$SERIAL_LOG"
 }
 trap cleanup EXIT
 # Launch QEMU in background
 qemu-system-aarch64 \
    -machine virt \
    -cpu cortex-a72 \
    -m 2048 \
    -smp 2 \
    -nographic \
    -kernel "$KERNEL" \
    -initrd "$INITRD" \
    -append "console=ttyAMA0 kubesolo.data=/dev/vda kubesolo.debug" \
    -drive "file=$DATA_DISK,format=raw,if=virtio" \
    -net nic,model=virtio \
    -net user \
    -serial "file:$SERIAL_LOG" &
 QEMU_PID=$!
 # Wait for boot success marker
 echo "    Waiting for boot..."
 ELAPSED=0
 SUCCESS=0
 while [ "$ELAPSED" -lt "$TIMEOUT" ]; do
    # Check for stage 90 completion (same marker as x86_64 test)
    if grep -q "\[kubesolo-init\] \[OK\] Stage 90-kubesolo.sh complete" "$SERIAL_LOG" 2>/dev/null; then
        SUCCESS=1
        break
    fi
    # Also check for generic KubeSolo running message
    if grep -q "KubeSolo is running" "$SERIAL_LOG" 2>/dev/null; then
        SUCCESS=1
        break
    fi
    # Check if QEMU exited prematurely
    if ! kill -0 "$QEMU_PID" 2>/dev/null; then
        echo ""
        echo "==> FAIL: QEMU exited prematurely"
        echo "    Last 20 lines of serial output:"
        tail -20 "$SERIAL_LOG" 2>/dev/null || echo "    (no output)"
        exit 1
    fi
    sleep 2
    ELAPSED=$((ELAPSED + 2))
    printf "\r    Elapsed: %ds / %ds" "$ELAPSED" "$TIMEOUT"
 done
 echo ""
 # Kill QEMU
 kill "$QEMU_PID" 2>/dev/null || true
 wait "$QEMU_PID" 2>/dev/null || true
 QEMU_PID=""
 if [ "$SUCCESS" = "1" ]; then
    echo "==> ARM64 Boot Test PASSED (${ELAPSED}s)"
    exit 0
 else
    echo "==> ARM64 Boot Test FAILED (timeout ${TIMEOUT}s)"
    echo ""
    echo "==> Last 30 lines of serial output:"
    tail -30 "$SERIAL_LOG" 2>/dev/null || echo "    (no output)"
    exit 1
 fi
--- a/update/cmd/activate.go
+++ b/update/cmd/activate.go
@@ -3,8 +3,6 @@ package cmd
 import (
 	"fmt"
 	"log/slog"
 	"github.com/portainer/kubesolo-os/update/pkg/grubenv"
 )
 // Activate switches the boot target to the passive partition.
@@ -12,7 +10,7 @@ import (
 // with boot_counter=3. If health checks fail 3 times, GRUB auto-rolls back.
 func Activate(args []string) error {
 	opts := parseOpts(args)
-	env := grubenv.New(opts.GrubenvPath)
+	env := opts.NewBootEnv()
 	// Get passive slot (the one we want to boot into)
 	passiveSlot, err := env.PassiveSlot()
--- a/update/cmd/apply.go
+++ b/update/cmd/apply.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"log/slog"
 	"github.com/portainer/kubesolo-os/update/pkg/grubenv"
 	"github.com/portainer/kubesolo-os/update/pkg/image"
 	"github.com/portainer/kubesolo-os/update/pkg/partition"
 )
@@ -18,7 +17,7 @@ func Apply(args []string) error {
 		return fmt.Errorf("--server is required")
 	}
-	env := grubenv.New(opts.GrubenvPath)
+	env := opts.NewBootEnv()
 	// Determine passive slot
 	passiveSlot, err := env.PassiveSlot()
--- a/update/cmd/check.go
+++ b/update/cmd/check.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"log/slog"
 	"github.com/portainer/kubesolo-os/update/pkg/grubenv"
 	"github.com/portainer/kubesolo-os/update/pkg/image"
 	"github.com/portainer/kubesolo-os/update/pkg/partition"
 )
@@ -19,7 +18,7 @@ func Check(args []string) error {
 	}
 	// Get current version from active partition
-	env := grubenv.New(opts.GrubenvPath)
+	env := opts.NewBootEnv()
 	activeSlot, err := env.ActiveSlot()
 	if err != nil {
 		return fmt.Errorf("reading active slot: %w", err)
--- a/update/cmd/healthcheck.go
+++ b/update/cmd/healthcheck.go
@@ -5,7 +5,6 @@ import (
 	"log/slog"
 	"time"
 	"github.com/portainer/kubesolo-os/update/pkg/grubenv"
 	"github.com/portainer/kubesolo-os/update/pkg/health"
 )
@@ -15,7 +14,7 @@ import (
 // init script) to confirm the system is healthy.
 func Healthcheck(args []string) error {
 	opts := parseOpts(args)
-	env := grubenv.New(opts.GrubenvPath)
+	env := opts.NewBootEnv()
 	// Check if already marked successful
 	success, err := env.BootSuccess()
--- a/update/cmd/opts.go
+++ b/update/cmd/opts.go
@@ -1,11 +1,27 @@
 package cmd
 import (
 	"github.com/portainer/kubesolo-os/update/pkg/bootenv"
 )
 // opts holds shared command-line options for all subcommands.
 type opts struct {
 	ServerURL   string
 	GrubenvPath string
 	TimeoutSecs int
 	PubKeyPath  string
 	BootEnvType string // "grub" or "rpi"
 	BootEnvPath string // path for RPi boot control dir
 }
 // NewBootEnv creates a BootEnv from the parsed options.
 func (o opts) NewBootEnv() bootenv.BootEnv {
 	switch o.BootEnvType {
 	case "rpi":
 		return bootenv.NewRPi(o.BootEnvPath)
 	default:
 		return bootenv.NewGRUB(o.GrubenvPath)
 	}
 }
 // parseOpts extracts command-line flags from args.
@@ -14,6 +30,7 @@ func parseOpts(args []string) opts {
 	o := opts{
 		GrubenvPath: "/boot/grub/grubenv",
 		TimeoutSecs: 120,
 		BootEnvType: "grub",
 	}
 	for i := 0; i < len(args); i++ {
@@ -46,6 +63,16 @@ func parseOpts(args []string) opts {
 				o.PubKeyPath = args[i+1]
 				i++
 			}
 		case "--bootenv":
 			if i+1 < len(args) {
 				o.BootEnvType = args[i+1]
 				i++
 			}
 		case "--bootenv-path":
 			if i+1 < len(args) {
 				o.BootEnvPath = args[i+1]
 				i++
 			}
 		}
 	}
--- a/update/cmd/rollback.go
+++ b/update/cmd/rollback.go
@@ -3,15 +3,13 @@ package cmd
 import (
 	"fmt"
 	"log/slog"
 	"github.com/portainer/kubesolo-os/update/pkg/grubenv"
 )
 // Rollback forces an immediate switch to the other partition.
 // Use this to manually revert to the previous version.
 func Rollback(args []string) error {
 	opts := parseOpts(args)
-	env := grubenv.New(opts.GrubenvPath)
+	env := opts.NewBootEnv()
 	activeSlot, err := env.ActiveSlot()
 	if err != nil {
--- a/update/cmd/status.go
+++ b/update/cmd/status.go
@@ -2,42 +2,50 @@ package cmd
 import (
 	"fmt"
 	"github.com/portainer/kubesolo-os/update/pkg/grubenv"
 )
 // Status displays the current A/B slot configuration and boot state.
 func Status(args []string) error {
 	opts := parseOpts(args)
-	env := grubenv.New(opts.GrubenvPath)
+	env := opts.NewBootEnv()
-	vars, err := env.ReadAll()
+	activeSlot, err := env.ActiveSlot()
 	if err != nil {
-		return fmt.Errorf("reading GRUB environment: %w", err)
+		return fmt.Errorf("reading active slot: %w", err)
 	}
-	activeSlot := vars["active_slot"]
+	passiveSlot, err := env.PassiveSlot()
-	bootCounter := vars["boot_counter"]
+	if err != nil {
-	bootSuccess := vars["boot_success"]
+		return fmt.Errorf("reading passive slot: %w", err)
 	}
-	passiveSlot := "B"
+	bootCounter, err := env.BootCounter()
-	if activeSlot == "B" {
+	if err != nil {
-		passiveSlot = "A"
+		return fmt.Errorf("reading boot counter: %w", err)
 	}
 	bootSuccess, err := env.BootSuccess()
 	if err != nil {
 		return fmt.Errorf("reading boot success: %w", err)
 	}
 	fmt.Println("KubeSolo OS — A/B Partition Status")
 	fmt.Println("───────────────────────────────────")
 	fmt.Printf("  Active slot:   %s\n", activeSlot)
 	fmt.Printf("  Passive slot:  %s\n", passiveSlot)
-	fmt.Printf("  Boot counter:  %s\n", bootCounter)
+	fmt.Printf("  Boot counter:  %d\n", bootCounter)
-	fmt.Printf("  Boot success:  %s\n", bootSuccess)
+	if bootSuccess {
 		fmt.Printf("  Boot success:  1\n")
 	} else {
 		fmt.Printf("  Boot success:  0\n")
 	}
-	if bootSuccess == "1" {
+	if bootSuccess {
 		fmt.Println("\n  ✓ System is healthy (boot confirmed)")
-	} else if bootCounter == "0" {
+	} else if bootCounter == 0 {
 		fmt.Println("\n  ✗ Boot counter exhausted — rollback will occur on next reboot")
 	} else {
-		fmt.Printf("\n  ⚠ Boot pending verification (%s attempts remaining)\n", bootCounter)
+		fmt.Printf("\n  ⚠ Boot pending verification (%d attempts remaining)\n", bootCounter)
 	}
 	return nil
--- a/update/pkg/bootenv/bootenv.go
+++ b/update/pkg/bootenv/bootenv.go
@@ -0,0 +1,27 @@
 // Package bootenv provides a platform-independent interface for managing
 // A/B boot environments. It abstracts GRUB (x86_64) and RPi firmware
 // (ARM64) behind a common interface.
 package bootenv
 // BootEnv provides read/write access to A/B boot environment variables.
 type BootEnv interface {
 	// ActiveSlot returns the currently active boot slot ("A" or "B").
 	ActiveSlot() (string, error)
 	// PassiveSlot returns the currently passive boot slot.
 	PassiveSlot() (string, error)
 	// BootCounter returns the current boot counter value.
 	BootCounter() (int, error)
 	// BootSuccess returns whether the last boot was marked successful.
 	BootSuccess() (bool, error)
 	// MarkBootSuccess marks the current boot as successful.
 	MarkBootSuccess() error
 	// ActivateSlot switches the active boot slot and resets the counter.
 	ActivateSlot(slot string) error
 	// ForceRollback switches to the other slot immediately.
 	ForceRollback() error
 }
 const (
 	SlotA = "A"
 	SlotB = "B"
 )
--- a/update/pkg/bootenv/bootenv_test.go
+++ b/update/pkg/bootenv/bootenv_test.go
@@ -0,0 +1,533 @@
 package bootenv
 import (
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"testing"
 )
 // createTestGrubenv writes a properly formatted 1024-byte grubenv file.
 func createTestGrubenv(t *testing.T, dir string, vars map[string]string) string {
 	t.Helper()
 	path := filepath.Join(dir, "grubenv")
 	var sb strings.Builder
 	sb.WriteString("# GRUB Environment Block\n")
 	for k, v := range vars {
 		sb.WriteString(k + "=" + v + "\n")
 	}
 	content := sb.String()
 	padding := 1024 - len(content)
 	if padding > 0 {
 		content += strings.Repeat("#", padding)
 	}
 	if err := os.WriteFile(path, []byte(content), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	return path
 }
 // TestGRUBActiveSlot verifies ActiveSlot reads the correct value.
 func TestGRUBActiveSlot(t *testing.T) {
 	dir := t.TempDir()
 	path := createTestGrubenv(t, dir, map[string]string{
 		"active_slot":  "A",
 		"boot_counter": "3",
 		"boot_success": "1",
 	})
 	env := NewGRUB(path)
 	slot, err := env.ActiveSlot()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if slot != "A" {
 		t.Errorf("expected A, got %s", slot)
 	}
 }
 // TestGRUBPassiveSlot verifies PassiveSlot returns the opposite slot.
 func TestGRUBPassiveSlot(t *testing.T) {
 	dir := t.TempDir()
 	path := createTestGrubenv(t, dir, map[string]string{
 		"active_slot":  "A",
 		"boot_counter": "3",
 		"boot_success": "0",
 	})
 	env := NewGRUB(path)
 	passive, err := env.PassiveSlot()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if passive != "B" {
 		t.Errorf("expected B, got %s", passive)
 	}
 }
 // TestGRUBBootCounter verifies BootCounter reads the correct value.
 func TestGRUBBootCounter(t *testing.T) {
 	dir := t.TempDir()
 	path := createTestGrubenv(t, dir, map[string]string{
 		"active_slot":  "A",
 		"boot_counter": "2",
 		"boot_success": "0",
 	})
 	env := NewGRUB(path)
 	counter, err := env.BootCounter()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if counter != 2 {
 		t.Errorf("expected 2, got %d", counter)
 	}
 }
 // TestGRUBBootSuccess verifies BootSuccess reads the correct value.
 func TestGRUBBootSuccess(t *testing.T) {
 	dir := t.TempDir()
 	path := createTestGrubenv(t, dir, map[string]string{
 		"active_slot":  "A",
 		"boot_counter": "3",
 		"boot_success": "1",
 	})
 	env := NewGRUB(path)
 	success, err := env.BootSuccess()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if !success {
 		t.Error("expected true, got false")
 	}
 }
 // TestGRUBMarkBootSuccess verifies marking boot as successful.
 func TestGRUBMarkBootSuccess(t *testing.T) {
 	dir := t.TempDir()
 	path := createTestGrubenv(t, dir, map[string]string{
 		"active_slot":  "B",
 		"boot_counter": "1",
 		"boot_success": "0",
 	})
 	env := NewGRUB(path)
 	if err := env.MarkBootSuccess(); err != nil {
 		t.Fatal(err)
 	}
 	success, err := env.BootSuccess()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if !success {
 		t.Error("expected boot_success=true after MarkBootSuccess")
 	}
 	counter, err := env.BootCounter()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if counter != 3 {
 		t.Errorf("expected boot_counter=3 after MarkBootSuccess, got %d", counter)
 	}
 }
 // TestGRUBActivateSlot verifies slot activation sets correct state.
 func TestGRUBActivateSlot(t *testing.T) {
 	dir := t.TempDir()
 	path := createTestGrubenv(t, dir, map[string]string{
 		"active_slot":  "A",
 		"boot_counter": "3",
 		"boot_success": "1",
 	})
 	env := NewGRUB(path)
 	if err := env.ActivateSlot("B"); err != nil {
 		t.Fatal(err)
 	}
 	slot, _ := env.ActiveSlot()
 	if slot != "B" {
 		t.Errorf("expected B, got %s", slot)
 	}
 	counter, _ := env.BootCounter()
 	if counter != 3 {
 		t.Errorf("expected counter=3, got %d", counter)
 	}
 	success, _ := env.BootSuccess()
 	if success {
 		t.Error("expected boot_success=false after ActivateSlot")
 	}
 }
 // TestGRUBForceRollback verifies rollback switches to passive slot.
 func TestGRUBForceRollback(t *testing.T) {
 	dir := t.TempDir()
 	path := createTestGrubenv(t, dir, map[string]string{
 		"active_slot":  "A",
 		"boot_counter": "3",
 		"boot_success": "1",
 	})
 	env := NewGRUB(path)
 	if err := env.ForceRollback(); err != nil {
 		t.Fatal(err)
 	}
 	slot, _ := env.ActiveSlot()
 	if slot != "B" {
 		t.Errorf("expected B after rollback from A, got %s", slot)
 	}
 }
 // TestGRUBSlotCycling verifies A->B->A slot switching.
 func TestGRUBSlotCycling(t *testing.T) {
 	dir := t.TempDir()
 	path := createTestGrubenv(t, dir, map[string]string{
 		"active_slot":  "A",
 		"boot_counter": "3",
 		"boot_success": "1",
 	})
 	env := NewGRUB(path)
 	// A -> B
 	if err := env.ActivateSlot("B"); err != nil {
 		t.Fatal(err)
 	}
 	slot, _ := env.ActiveSlot()
 	if slot != "B" {
 		t.Fatalf("expected B, got %s", slot)
 	}
 	// B -> A
 	if err := env.ActivateSlot("A"); err != nil {
 		t.Fatal(err)
 	}
 	slot, _ = env.ActiveSlot()
 	if slot != "A" {
 		t.Fatalf("expected A, got %s", slot)
 	}
 }
 // TestGRUBActivateInvalidSlot verifies invalid slot is rejected.
 func TestGRUBActivateInvalidSlot(t *testing.T) {
 	dir := t.TempDir()
 	path := createTestGrubenv(t, dir, map[string]string{
 		"active_slot":  "A",
 		"boot_counter": "3",
 		"boot_success": "0",
 	})
 	env := NewGRUB(path)
 	if err := env.ActivateSlot("C"); err == nil {
 		t.Fatal("expected error for invalid slot")
 	}
 }
 // TestRPiActiveSlot verifies ActiveSlot reads from autoboot.txt.
 func TestRPiActiveSlot(t *testing.T) {
 	dir := t.TempDir()
 	createTestAutobootFiles(t, dir, 2, 3, 3, false)
 	env := NewRPi(dir)
 	slot, err := env.ActiveSlot()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if slot != "A" {
 		t.Errorf("expected A (partition 2), got %s", slot)
 	}
 }
 // TestRPiActiveSlotB verifies slot B with partition 3.
 func TestRPiActiveSlotB(t *testing.T) {
 	dir := t.TempDir()
 	createTestAutobootFiles(t, dir, 3, 2, 3, true)
 	env := NewRPi(dir)
 	slot, err := env.ActiveSlot()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if slot != "B" {
 		t.Errorf("expected B (partition 3), got %s", slot)
 	}
 }
 // TestRPiPassiveSlot verifies passive slot is opposite of active.
 func TestRPiPassiveSlot(t *testing.T) {
 	dir := t.TempDir()
 	createTestAutobootFiles(t, dir, 2, 3, 3, false)
 	env := NewRPi(dir)
 	passive, err := env.PassiveSlot()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if passive != "B" {
 		t.Errorf("expected B, got %s", passive)
 	}
 }
 // TestRPiBootCounter verifies counter is read from status file.
 func TestRPiBootCounter(t *testing.T) {
 	dir := t.TempDir()
 	createTestAutobootFiles(t, dir, 2, 3, 2, false)
 	env := NewRPi(dir)
 	counter, err := env.BootCounter()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if counter != 2 {
 		t.Errorf("expected 2, got %d", counter)
 	}
 }
 // TestRPiBootCounterMissingFile verifies default when status file is absent.
 func TestRPiBootCounterMissingFile(t *testing.T) {
 	dir := t.TempDir()
 	// Only create autoboot.txt, no boot-status
 	autoboot := "[all]\ntryboot_a_b=1\nboot_partition=2\n[tryboot]\nboot_partition=3\n"
 	if err := os.WriteFile(filepath.Join(dir, "autoboot.txt"), []byte(autoboot), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	env := NewRPi(dir)
 	counter, err := env.BootCounter()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if counter != 3 {
 		t.Errorf("expected default counter 3, got %d", counter)
 	}
 }
 // TestRPiBootSuccess verifies success is read from status file.
 func TestRPiBootSuccess(t *testing.T) {
 	dir := t.TempDir()
 	createTestAutobootFiles(t, dir, 2, 3, 3, true)
 	env := NewRPi(dir)
 	success, err := env.BootSuccess()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if !success {
 		t.Error("expected true, got false")
 	}
 }
 // TestRPiMarkBootSuccess verifies marking boot success updates both files.
 func TestRPiMarkBootSuccess(t *testing.T) {
 	dir := t.TempDir()
 	createTestAutobootFiles(t, dir, 2, 3, 1, false)
 	env := NewRPi(dir)
 	if err := env.MarkBootSuccess(); err != nil {
 		t.Fatal(err)
 	}
 	// Active slot should still be A
 	slot, _ := env.ActiveSlot()
 	if slot != "A" {
 		t.Errorf("expected active slot A, got %s", slot)
 	}
 	// Boot success should be true
 	success, _ := env.BootSuccess()
 	if !success {
 		t.Error("expected boot_success=true after MarkBootSuccess")
 	}
 	// Counter should be reset to 3
 	counter, _ := env.BootCounter()
 	if counter != 3 {
 		t.Errorf("expected counter=3 after MarkBootSuccess, got %d", counter)
 	}
 	// [all] boot_partition should be 2 (slot A, making it permanent)
 	data, _ := os.ReadFile(filepath.Join(dir, "autoboot.txt"))
 	if !strings.Contains(string(data), "boot_partition=2") {
 		t.Error("expected [all] boot_partition=2 after MarkBootSuccess")
 	}
 }
 // TestRPiActivateSlot verifies slot activation updates tryboot and status.
 func TestRPiActivateSlot(t *testing.T) {
 	dir := t.TempDir()
 	createTestAutobootFiles(t, dir, 2, 3, 3, true)
 	env := NewRPi(dir)
 	if err := env.ActivateSlot("B"); err != nil {
 		t.Fatal(err)
 	}
 	// [tryboot] should now point to partition 3 (slot B)
 	data, _ := os.ReadFile(filepath.Join(dir, "autoboot.txt"))
 	content := string(data)
 	// Find [tryboot] section and check boot_partition
 	idx := strings.Index(content, "[tryboot]")
 	if idx < 0 {
 		t.Fatal("missing [tryboot] section")
 	}
 	trybootSection := content[idx:]
 	if !strings.Contains(trybootSection, "boot_partition=3") {
 		t.Errorf("expected [tryboot] boot_partition=3, got: %s", trybootSection)
 	}
 	// Status should be reset
 	success, _ := env.BootSuccess()
 	if success {
 		t.Error("expected boot_success=false after ActivateSlot")
 	}
 	counter, _ := env.BootCounter()
 	if counter != 3 {
 		t.Errorf("expected counter=3, got %d", counter)
 	}
 }
 // TestRPiActivateInvalidSlot verifies invalid slot is rejected.
 func TestRPiActivateInvalidSlot(t *testing.T) {
 	dir := t.TempDir()
 	createTestAutobootFiles(t, dir, 2, 3, 3, false)
 	env := NewRPi(dir)
 	if err := env.ActivateSlot("C"); err == nil {
 		t.Fatal("expected error for invalid slot")
 	}
 }
 // TestRPiForceRollback verifies rollback swaps the active slot.
 func TestRPiForceRollback(t *testing.T) {
 	dir := t.TempDir()
 	createTestAutobootFiles(t, dir, 2, 3, 3, true)
 	env := NewRPi(dir)
 	if err := env.ForceRollback(); err != nil {
 		t.Fatal(err)
 	}
 	// [all] should now point to partition 3 (slot B)
 	slot, _ := env.ActiveSlot()
 	if slot != "B" {
 		t.Errorf("expected B after rollback from A, got %s", slot)
 	}
 	// Success should be false
 	success, _ := env.BootSuccess()
 	if success {
 		t.Error("expected boot_success=false after ForceRollback")
 	}
 }
 // TestRPiSlotCycling verifies A->B->A slot switching works.
 func TestRPiSlotCycling(t *testing.T) {
 	dir := t.TempDir()
 	createTestAutobootFiles(t, dir, 2, 3, 3, true)
 	env := NewRPi(dir)
 	// Rollback A -> B
 	if err := env.ForceRollback(); err != nil {
 		t.Fatal(err)
 	}
 	slot, _ := env.ActiveSlot()
 	if slot != "B" {
 		t.Fatalf("expected B, got %s", slot)
 	}
 	// Rollback B -> A
 	if err := env.ForceRollback(); err != nil {
 		t.Fatal(err)
 	}
 	slot, _ = env.ActiveSlot()
 	if slot != "A" {
 		t.Fatalf("expected A, got %s", slot)
 	}
 }
 // TestInterfaceCompliance verifies both implementations satisfy BootEnv.
 func TestInterfaceCompliance(t *testing.T) {
 	dir := t.TempDir()
 	grubPath := createTestGrubenv(t, dir, map[string]string{
 		"active_slot":  "A",
 		"boot_counter": "3",
 		"boot_success": "0",
 	})
 	rpiDir := t.TempDir()
 	createTestAutobootFiles(t, rpiDir, 2, 3, 3, false)
 	impls := map[string]BootEnv{
 		"grub": NewGRUB(grubPath),
 		"rpi":  NewRPi(rpiDir),
 	}
 	for name, env := range impls {
 		t.Run(name, func(t *testing.T) {
 			slot, err := env.ActiveSlot()
 			if err != nil {
 				t.Fatalf("ActiveSlot: %v", err)
 			}
 			if slot != "A" {
 				t.Errorf("ActiveSlot: expected A, got %s", slot)
 			}
 			passive, err := env.PassiveSlot()
 			if err != nil {
 				t.Fatalf("PassiveSlot: %v", err)
 			}
 			if passive != "B" {
 				t.Errorf("PassiveSlot: expected B, got %s", passive)
 			}
 			counter, err := env.BootCounter()
 			if err != nil {
 				t.Fatalf("BootCounter: %v", err)
 			}
 			if counter != 3 {
 				t.Errorf("BootCounter: expected 3, got %d", counter)
 			}
 			success, err := env.BootSuccess()
 			if err != nil {
 				t.Fatalf("BootSuccess: %v", err)
 			}
 			if success {
 				t.Error("BootSuccess: expected false")
 			}
 		})
 	}
 }
 // createTestAutobootFiles is a helper that writes both autoboot.txt and boot-status.
 func createTestAutobootFiles(t *testing.T, dir string, allPart, trybootPart, counter int, success bool) {
 	t.Helper()
 	autoboot := "[all]\ntryboot_a_b=1\nboot_partition=" + strconv.Itoa(allPart) + "\n"
 	autoboot += "[tryboot]\nboot_partition=" + strconv.Itoa(trybootPart) + "\n"
 	if err := os.WriteFile(filepath.Join(dir, "autoboot.txt"), []byte(autoboot), 0o644); err != nil {
 		t.Fatal(err)
 	}
 	successVal := "0"
 	if success {
 		successVal = "1"
 	}
 	status := "boot_counter=" + strconv.Itoa(counter) + "\nboot_success=" + successVal + "\n"
 	if err := os.WriteFile(filepath.Join(dir, "boot-status"), []byte(status), 0o644); err != nil {
 		t.Fatal(err)
 	}
 }
--- a/update/pkg/bootenv/grub.go
+++ b/update/pkg/bootenv/grub.go
@@ -0,0 +1,23 @@
 package bootenv
 import (
 	"github.com/portainer/kubesolo-os/update/pkg/grubenv"
 )
 // GRUBEnv implements BootEnv using GRUB environment variables.
 type GRUBEnv struct {
 	env *grubenv.Env
 }
 // NewGRUB creates a new GRUB-based BootEnv.
 func NewGRUB(path string) BootEnv {
 	return &GRUBEnv{env: grubenv.New(path)}
 }
 func (g *GRUBEnv) ActiveSlot() (string, error)    { return g.env.ActiveSlot() }
 func (g *GRUBEnv) PassiveSlot() (string, error)    { return g.env.PassiveSlot() }
 func (g *GRUBEnv) BootCounter() (int, error)       { return g.env.BootCounter() }
 func (g *GRUBEnv) BootSuccess() (bool, error)      { return g.env.BootSuccess() }
 func (g *GRUBEnv) MarkBootSuccess() error          { return g.env.MarkBootSuccess() }
 func (g *GRUBEnv) ActivateSlot(slot string) error  { return g.env.ActivateSlot(slot) }
 func (g *GRUBEnv) ForceRollback() error            { return g.env.ForceRollback() }
--- a/update/pkg/bootenv/rpi.go
+++ b/update/pkg/bootenv/rpi.go
@@ -0,0 +1,267 @@
 package bootenv
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 )
 const (
 	// RPi partition numbers: slot A = partition 2, slot B = partition 3.
 	rpiSlotAPartition = 2
 	rpiSlotBPartition = 3
 	defaultBootCounter = 3
 )
 // RPiEnv implements BootEnv using Raspberry Pi firmware autoboot.txt.
 type RPiEnv struct {
 	autobootPath string // path to autoboot.txt
 	statusPath   string // path to boot-status file
 }
 // NewRPi creates a new RPi-based BootEnv.
 // dir is the directory containing autoboot.txt (typically the boot control
 // partition mount point).
 func NewRPi(dir string) BootEnv {
 	return &RPiEnv{
 		autobootPath: filepath.Join(dir, "autoboot.txt"),
 		statusPath:   filepath.Join(dir, "boot-status"),
 	}
 }
 func (r *RPiEnv) ActiveSlot() (string, error) {
 	partNum, err := r.readAllBootPartition()
 	if err != nil {
 		return "", fmt.Errorf("reading active slot: %w", err)
 	}
 	return partNumToSlot(partNum)
 }
 func (r *RPiEnv) PassiveSlot() (string, error) {
 	active, err := r.ActiveSlot()
 	if err != nil {
 		return "", err
 	}
 	if active == SlotA {
 		return SlotB, nil
 	}
 	return SlotA, nil
 }
 func (r *RPiEnv) BootCounter() (int, error) {
 	status, err := r.readStatus()
 	if err != nil {
 		return -1, err
 	}
 	val, ok := status["boot_counter"]
 	if !ok {
 		return defaultBootCounter, nil
 	}
 	n, err := strconv.Atoi(val)
 	if err != nil {
 		return -1, fmt.Errorf("invalid boot_counter %q: %w", val, err)
 	}
 	return n, nil
 }
 func (r *RPiEnv) BootSuccess() (bool, error) {
 	status, err := r.readStatus()
 	if err != nil {
 		return false, err
 	}
 	return status["boot_success"] == "1", nil
 }
 func (r *RPiEnv) MarkBootSuccess() error {
 	// Make the current slot permanent by updating [all] boot_partition
 	active, err := r.ActiveSlot()
 	if err != nil {
 		return fmt.Errorf("marking boot success: %w", err)
 	}
 	partNum := slotToPartNum(active)
 	if err := r.writeAllBootPartition(partNum); err != nil {
 		return err
 	}
 	return r.writeStatus(defaultBootCounter, true)
 }
 func (r *RPiEnv) ActivateSlot(slot string) error {
 	if slot != SlotA && slot != SlotB {
 		return fmt.Errorf("invalid slot: %q (must be A or B)", slot)
 	}
 	partNum := slotToPartNum(slot)
 	// Update [tryboot] to point to the new slot
 	if err := r.writeTrybootPartition(partNum); err != nil {
 		return err
 	}
 	return r.writeStatus(defaultBootCounter, false)
 }
 func (r *RPiEnv) ForceRollback() error {
 	passive, err := r.PassiveSlot()
 	if err != nil {
 		return err
 	}
 	// Swap the [all] boot_partition to the other slot
 	partNum := slotToPartNum(passive)
 	if err := r.writeAllBootPartition(partNum); err != nil {
 		return err
 	}
 	if err := r.writeTrybootPartition(partNum); err != nil {
 		return err
 	}
 	return r.writeStatus(defaultBootCounter, false)
 }
 // readAllBootPartition reads the boot_partition value from the [all] section.
 func (r *RPiEnv) readAllBootPartition() (int, error) {
 	sections, err := r.parseAutoboot()
 	if err != nil {
 		return 0, err
 	}
 	val, ok := sections["all"]["boot_partition"]
 	if !ok {
 		return 0, fmt.Errorf("boot_partition not found in [all] section")
 	}
 	return strconv.Atoi(val)
 }
 // writeAllBootPartition updates the [all] boot_partition value.
 func (r *RPiEnv) writeAllBootPartition(partNum int) error {
 	sections, err := r.parseAutoboot()
 	if err != nil {
 		return err
 	}
 	if sections["all"] == nil {
 		sections["all"] = make(map[string]string)
 	}
 	sections["all"]["boot_partition"] = strconv.Itoa(partNum)
 	return r.writeAutoboot(sections)
 }
 // writeTrybootPartition updates the [tryboot] boot_partition value.
 func (r *RPiEnv) writeTrybootPartition(partNum int) error {
 	sections, err := r.parseAutoboot()
 	if err != nil {
 		return err
 	}
 	if sections["tryboot"] == nil {
 		sections["tryboot"] = make(map[string]string)
 	}
 	sections["tryboot"]["boot_partition"] = strconv.Itoa(partNum)
 	return r.writeAutoboot(sections)
 }
 // parseAutoboot reads autoboot.txt into a map of section -> key=value pairs.
 func (r *RPiEnv) parseAutoboot() (map[string]map[string]string, error) {
 	data, err := os.ReadFile(r.autobootPath)
 	if err != nil {
 		return nil, fmt.Errorf("reading autoboot.txt: %w", err)
 	}
 	sections := make(map[string]map[string]string)
 	currentSection := ""
 	for _, line := range strings.Split(string(data), "\n") {
 		line = strings.TrimSpace(line)
 		if line == "" {
 			continue
 		}
 		if strings.HasPrefix(line, "[") && strings.HasSuffix(line, "]") {
 			currentSection = line[1 : len(line)-1]
 			if sections[currentSection] == nil {
 				sections[currentSection] = make(map[string]string)
 			}
 			continue
 		}
 		parts := strings.SplitN(line, "=", 2)
 		if len(parts) == 2 && currentSection != "" {
 			sections[currentSection][strings.TrimSpace(parts[0])] = strings.TrimSpace(parts[1])
 		}
 	}
 	return sections, nil
 }
 // writeAutoboot writes sections back to autoboot.txt.
 // Section order: [all] first, then [tryboot].
 func (r *RPiEnv) writeAutoboot(sections map[string]map[string]string) error {
 	var sb strings.Builder
 	// Write [all] section first
 	if all, ok := sections["all"]; ok {
 		sb.WriteString("[all]\n")
 		for k, v := range all {
 			sb.WriteString(k + "=" + v + "\n")
 		}
 	}
 	// Write [tryboot] section
 	if tryboot, ok := sections["tryboot"]; ok {
 		sb.WriteString("[tryboot]\n")
 		for k, v := range tryboot {
 			sb.WriteString(k + "=" + v + "\n")
 		}
 	}
 	return os.WriteFile(r.autobootPath, []byte(sb.String()), 0o644)
 }
 // readStatus reads the boot-status key=value file.
 func (r *RPiEnv) readStatus() (map[string]string, error) {
 	data, err := os.ReadFile(r.statusPath)
 	if err != nil {
 		if os.IsNotExist(err) {
 			// Return defaults if status file doesn't exist yet
 			return map[string]string{
 				"boot_counter": strconv.Itoa(defaultBootCounter),
 				"boot_success": "0",
 			}, nil
 		}
 		return nil, fmt.Errorf("reading boot-status: %w", err)
 	}
 	status := make(map[string]string)
 	for _, line := range strings.Split(string(data), "\n") {
 		line = strings.TrimSpace(line)
 		if line == "" {
 			continue
 		}
 		parts := strings.SplitN(line, "=", 2)
 		if len(parts) == 2 {
 			status[strings.TrimSpace(parts[0])] = strings.TrimSpace(parts[1])
 		}
 	}
 	return status, nil
 }
 // writeStatus writes boot_counter and boot_success to the status file.
 func (r *RPiEnv) writeStatus(counter int, success bool) error {
 	successVal := "0"
 	if success {
 		successVal = "1"
 	}
 	content := fmt.Sprintf("boot_counter=%d\nboot_success=%s\n", counter, successVal)
 	return os.WriteFile(r.statusPath, []byte(content), 0o644)
 }
 func partNumToSlot(partNum int) (string, error) {
 	switch partNum {
 	case rpiSlotAPartition:
 		return SlotA, nil
 	case rpiSlotBPartition:
 		return SlotB, nil
 	default:
 		return "", fmt.Errorf("unknown partition number %d (expected %d or %d)", partNum, rpiSlotAPartition, rpiSlotBPartition)
 	}
 }
 func slotToPartNum(slot string) int {
 	if slot == SlotB {
 		return rpiSlotBPartition
 	}
 	return rpiSlotAPartition
 }