aes(9): New 64-bit bitsliced implementation.

Derived from BearSSL's aes_ct64 code. Compared to the aes_ct code,
on machines with native 64-bit integer arithmetic, aes_ct64 should
have approximately:

- the same throughput for:
. CBC encryption,
. CCM encryption/decryption, and
. CBC-MAC;

- double the throughput for:
. CBC decryption,
. XTS encryption/decryption.

(aes_ct computes AES on two blocks at a time; aes_ct64 computes it on
four blocks at a time, with roughly the same number of instructions.
CBC encryption and CBC-MAC are inherently sequential; CCM, being a
combination of CTR and CBC-MAC, can only really be parallelized two
ways, so having four ways available doesn't help; and CBC decryption
and XTS admit parallelism limited only by the size of the inputs.)

Enable with `options AES_BEAR64'. Should be a reasonable default on
all platforms with 64-bit integer registers. Caveat: uses about 1200
bytes of stack space. (Could approximately halve that, like the
BearSSL aes_ct code, at some speed cost which I haven't measured --
by moving the br_aes_ct64_skey_expand logic into add_round_key in
aes_ct64_{enc,dec}.c.)

PR kern/59774: bearssl 32-bit AES is too slow, want 64-bit optimized
version in kernel