feat: implement Secure Boot with UKI in run.sh

Add complete Secure Boot implementation:
- Generate PK/KEK/db keys during ISO build
- Build Unified Kernel Image (UKI) bundling kernel+initramfs+cmdline
- Sign UKI with db key for Secure Boot verification
- Include kernel lockdown mode in cmdline (lockdown=confidentiality)
- Copy .auth files to ISO for UEFI key enrollment

All Secure Boot logic is embedded in run.sh as an inline binary hook
created during the Docker build process - no separate scripts.

Required packages added: efitools, sbsigntools, systemd-boot, binutils

VM template updated with TPM v2.0 for Secure Boot measurements.

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

config/package-lists/knel-football.list.chroot

@@ -8,6 +8,11 @@ shim-signed
 grub-efi-amd64-signed
 grub-efi-amd64-bin
 efibootmgr
+efitools
+sbsigntools
+systemd-boot
+systemd-boot-efi
+binutils
 
 # Desktop environment
 icewm