(Q35) Patina-side BPWPS lock rejection unit test

[kat-perez]

Add a #[patina_test] function in patina-dxe-core-qemu (or wherever the Q35 test runner lives) that asserts the BPWPS lock primitive in isolation:

1. Resolve the device path for the Q35 emulated NVMe boot partition.
2. Issue a Firmware Download + Firmware Commit (action 0x6 replace) to the BP. Expect Ok (the controller accepts the write before any lock is in place).
3. Call patina_boot::partition::lock_partition_write on the same path. Expect Ok.
4. Issue a second Firmware Commit. Expect the controller to reject it with Boot Partition Write Protected (surfaced as EfiError::DeviceError from our helper).

This catches regressions in the lock primitive itself: wrong FID, wrong CDW10/CDW11 encoding, wrong opcode, missing flag bits, BPWPS state value off by one. Test runs every CI build of patina-dxe-core-qemu.

Steps:

1. Add a small apply_boot_partition_image helper (or inline FW Download/Commit packets) so the test can issue the "write" half. This same helper will be the production caller for capsule update (Apply SRE WIM capsule update to boot partition #52); landing it here lets the test exist before Apply SRE WIM capsule update to boot partition #52 is fully implemented.
2. Add a path resolver for the test — walk the handle list for the first NVMe Pass-Thru protocol and use that handle's device path. Avoids hardcoding QEMU's PCI topology.
3. Wire the test into the Q35 binary's TestRunner component under cfg(feature = "test-runner").

Out of scope (separate issue):

• Drive-erase integration test (separate sub-issue tracking the product-level "BP survives wipe" invariant).
• The rejection of FW Commit at the QEMU emulation level — that's exercised by Add NVMe BP write-protection (BPWPS) emulation to QEMU hw/nvme (part 2) #79's qtest in tests/qtest/nvme-test.c independently.

Depends on: #74 (QEMU BP + Firmware Download/Commit), #79 (QEMU BPWPS state machine + Commit rejection).