Unikernel build target for cosmian_kms_server

[Manuthor]

Summary

Produce a bootable unikernel image of cosmian_kms_server that can be
launched under a Type-1/Type-2 hypervisor or a Confidential-VM environment.
The goal is to shrink the attack surface to zero unnecessary OS components
and enable hardware-attestation of the KMS image.

Motivation

• KMS is a high-value target; a unikernel removes the entire OS as an attack vector
• Confidential-computing deployments (AWS Nitro Enclaves, Azure Confidential VMs,
  AMD SEV, Intel TDX) pair naturally with an immutable, attestable boot image
• Cold-boot time < 100 ms and image size < 30 MB (vs. ~300 MB Docker image)