Fix LUKS header validation security vulnerability (GHSA-jxq2-hpw3-m5wf)

- Add comprehensive LUKS2 header validation to prevent CVM from writing
  sensitive data to unencrypted disks or running malicious programs
- Validate magic bytes, version, encryption cipher, key sizes, and metadata
- Enforce aes-xts-plain64 encryption and reject weak/null ciphers
- Add test fixtures in tests/fixtures/ for positive and negative test cases
- Addresses critical security issue where missing validation could compromise
  confidential computing environment

Author: kvinwang