feat(swtpm): software TPM 2.0 for ephemeral CI VMs (#3)

[foil-copy-overrate]

Software TPM 2.0 for ephemeral CI VMs

Implements the bcvk side of issue #3 / yubiOS ADR-016 §Feature 1 / BLOCKER-006.
Pairs with yubiOS PR bootc-dev#34 (guest-side systemd-tpm2-swtpm.service drop-in).

What this does

bcvk run --feature tpm2-swtpm launches an swtpm process and wires an emulated
TPM 2.0 into the guest (-tpmdev emulator + arch-aware tpm-tis/tpm-tis-device),
so /dev/tpm0 is present inside CI VMs without hardware. Exercises TPM2 code paths
(PCR measurements, LUKS2 PCR binding, ConditionSecurity=measured-os).

Changes

• new crates/bcvk-qemu/src/swtpm.rs — SwtpmConfig, QEMU arg generation, arch device selection, socket wait, table-driven unit tests.
• crates/bcvk-qemu/src/lib.rs — export module.
• crates/bcvk-qemu/src/qemu.rs — QemuConfig::enable_swtpm() + swtpm field; spawn swtpm before QEMU and kill it on wait(); emit TPM device args.
• crates/kit/src/run_ephemeral.rs — --feature tpm2-swtpm on CommonVmOpts, wired into the qemu config build.
• docs/swtpm-tpm2.md.

Mirrors the --yubikey USB-passthrough pattern (PR #2).

⚠️ Review notes (not yet built)

• Authored via the GitHub API; not compiled in this environment. Needs cargo build + cargo nextest run -p bcvk-qemu on a dev box before merge.
• Assumes swtpm/swtpm-tools are present where QEMU runs (the test image / runner); a clear error is surfaced if missing.
• enable_swtpm() is called in run_impl (container-entrypoint stage) so swtpm + QEMU share a namespace.
• Per AGENTS.md/DCO: an LLM must not add Signed-off-by; a human must add it after review.
• Phase 0: do not merge without Jenny’s review.

[foil-copy-overrate]

Closing as the duplicate of the canonical swtpm branch. Two parallel runs produced competing approaches for #3: this PR (feature/swtpm-ci, host-side QEMU -tpmdev emulator) and feat/swtpm-ci (in-guest systemd-tpm2-swtpm.service + --feature tpm2-swtpm + /dev/tpm0). The in-guest route matches the #3 scope literally, so feat/swtpm-ci is canonical. Per Phase 0 policy bcvk is referenced by branch, never merged, so closing this PR — work continues on feat/swtpm-ci.

[foil-copy-overrate]

Superseded by the canonical swtpm branch feat/swtpm-ci (@2cc8a75), which takes the in-guest route (systemd-tpm2-swtpm.service + tpm_vtpm_proxy, Dockerfile.swtpm fixture, swtpm_feature.rs integration test) and matches issue #3 scope items 1–2 more literally. This host-side QEMU -tpmdev emulator approach is a valid alternative kept on branch feature/swtpm-ci for reference. Closing to avoid two competing draft PRs for the same task. Per yubiOS doctrine, no bcvk branch is merged — yubiOS references the branch directly. Re #3.