Add P2 daemon hardening patches and wire into base recipe

215 fixes across 33 Rust source files replacing unwrap/expect/panic
with graceful error handling in init, all boot-critical daemons,
and the six graphics driver packages. Fixes inverted scheduler
conditions_met() logic that prevented rootfs from mounting.

local/patches/base/P2-daemon-ready-graceful.patch

@@ -0,0 +1,27 @@
+diff --git a/daemon/src/lib.rs b/daemon/src/lib.rs
+--- a/daemon/src/lib.rs
++++ b/daemon/src/lib.rs
+@@ -52,7 +52,11 @@
+ 
+     /// Notify the process that the daemon is ready to accept requests.
+     pub fn ready(mut self) {
+-        self.write_pipe.write_all(&[0]).unwrap();
++        if let Err(err) = self.write_pipe.write_all(&[0]) {
++            if err.kind() != io::ErrorKind::BrokenPipe {
++                eprintln!("daemon::ready write failed: {err}");
++            }
++        }
+     }
+ 
+     /// Executes `Command` as a child process.
+diff --git a/randd/src/main.rs b/randd/src/main.rs
+--- a/randd/src/main.rs
++++ b/randd/src/main.rs
+@@ -83,7 +83,7 @@
+     } // TODO integrate alternative entropy sources
+     if !have_seeded {
+-        println!("randd: Seeding failed, no entropy source.  Random numbers on this platform are NOT SECURE");
++        eprintln!("randd: no hardware entropy source, random numbers are NOT SECURE");
+     }
+     rng
+ }