imgtool: add AES‑KW encryption support and tests

[ledvinap]

• Add AES‑KW KEK loading from base64 (16/32 bytes) and emit ENCKW TLVs in imgtool.
• Allow AES‑KW encryption alongside any signing key.
• Document AES‑KW usage in imgtool/encrypted images docs.
• Add AES‑KW encryption tests, including sign+encrypt coverage.

Code is heavily codex-assisted. I'm new to mcuboot, so I can miss something.

Codex says that image works in simulator:

  # Build bootsim with KW support
  cargo build --release --features enc-kw
 
  # Create payload + unsigned images with imgtool
  dd if=/dev/urandom of=/tmp/app.bin bs=1024 count=64
  ./scripts/imgtool.py sign --align 4 -H 0x20 -v 1.2.2 --pad-header -S 0x20000 /tmp/app.bin /tmp/app-unsigned.bin
  ./scripts/imgtool.py sign --encrypt enc-aes128kw.b64 --align 4 -H 0x20 -v 1.2.3 --pad-header -S 0x20000 /tmp/app.bin /tmp/app-kw-unsigned.bin
 
  # Run sim with external images
  RUST_LOG=debug cargo run --release --features enc-kw --  run-image --device stm32f4 --image0 /tmp/app-unsigned.bin  --image1 /tmp/app-kw-unsigned.bin
 
  - boot_enc_load: ENCKW TLV found, decrypt key OK
  - bootutil_img_validate: hash TLV (SHA256) found and validated
  - swap started (scratch algorithm)
  - swap metadata written (swap_info/swap_size/enc_key/magic)
  - copy_done written in primary
  - run-image succeeded