Closes apple#376

On supported SoCs virtualization.framework has nested virtualization
support, and it's already exposed in Containerization. This exposes
a --virtualization flag on create and run to expose this to users here. If
the host doesn't support it we'll fail when going to run the container.
The guest kernel also must have virtualization enabled, which our default
kernel does not.

```
./bin/container run -it --rm --virtualization ubuntu:latest bash
Error: unsupported: "nested virtualization is not supported on the platform"
```

And a successful run with a supplied kernel:

```
./bin/container run --rm --virtualization -it --kernel ~/Downloads/kernel.arm64 ubuntu:latest sh -c "dmesg | grep kvm"
[    0.017245] kvm [1]: IPA Size Limit: 40 bits
[    0.017499] kvm [1]: GICv3: no GICV resource entry
[    0.017501] kvm [1]: disabling GICv2 emulation
[    0.017506] kvm [1]: GIC system register CPU interface enabled
[    0.017685] kvm [1]: vgic interrupt IRQ9
[    0.017893] kvm [1]: Hyp mode initialized successfully
```