Add quote generation / verification

[ameba23]

This provides logic for generating and verifying DCAP TDX quotes.

Quote verification is done using dcap-qvl from Kevin Wang / Phala.

I am currently trying to get the quote parser from this logic to accept mock quotes from tdx-quote so that we can test the some of the quote verification logic on non-TDX hardware. Ideally i would like to test the measurement and report input checking logic but ignore PCK certificate chain verification.

Currently these mock quotes will not parse with dcap-qvl::quote::Quote::parse - which is likely an error in the mock quote generation.

There are some open design questions around the PCCS - whether to do internal PCS caching (per instance of this service) or use some external PCCS.

I plan to add some GCP-specific logic - checking launch endorsements for the MRTD values from GCP, using tdx_workload_attestation These responses can be cached similarly to the PCS collateral (either internally or using some external caching service).

There are some other open design questions:

• Whether we still need to support MAA. And if so, how?
  • Proposal: az-tdx-vtpm for quote generation and azure_svc_attestation together with a JWT library for verification
  • Other option: Call out to a binding to the Constellation Go code
• Are we at all interested in Intel Trust Authority. Would it give us anything when used on GCP when compared to the DCAP flow above?
• For GCP: How to handle accepted PPIDs. (I guess this part will come later)