RFC: Add confidential guest support: Secure Execution support

[mhartmay]

Example to start a confidential guest using two host-key documents

$ vng -r --confidential-guest --confidential-guest-args
host-key-document=/home/mhartmay/storage/git/hostkeys/a46/HKD-3931-02772A8.crt
--confidential-guest-args
host-key-document=/home/mhartmay/storage/git/hostkeys/b35/HKD-9175-029DE48.crt

Another example where always the given pvimg create arguments are used. To do
so, modify the
default_opts sections in ~/.config/virtme-ng/virtme-ng.conf as following:

{
    "default_opts": {
        "confidential_guest_args": ["host-key-document=/home/user/HKD.crt"]
    },
}

Now you can simply run vng --confidential-guest to prepare the Secure Execution boot image using the given host-key document.

[mhartmay]

There are still some open TODOs:

• check for pvimg
• Check for KVM and native run
• Add confidential dump support
• probing qemu/kvm/hardware and guest kernel for confidential guest support? Not sure about this... there are some other places in virtme-ng that does not handle this as well.

[mhartmay]

@arighi Do you know if this approach would work for AMD SEV? Or can you test it? (I do not have access to AMD SEV hardware)

[arighi]

@arighi Do you know if this approach would work for AMD SEV? Or can you test it? (I do not have access to AMD SEV hardware)

I also don't have access to any hardware with AMD SEV. And my knowledge about confidential computing is still very basic.
I'd say as long as it works with a certain hardware and it's not breaking/regressing other workloads, I'm totally ok to merge this (it doesn't necessarily need to work with everything).