Use attest repo to compute expected measurements from image hashes

[ameba23]

WIP

This is a protocol breaking change as it changes the format of the wire message for attestation payload.

This is the first step towards integrating with the easy-tee/attest repo, and is based roughly on @Ruteri 's attest-integration-idea branch.

This adds platform metadata from the to the attestation payload which the attester produces and the verifier checks, and adds a new variant to the MeasurementRecord enum used by in the measurement policy for verification, which allows image hashes to be specified rather than a full set of measurements.

When verifying, if we have a policy which specifies image hashes rather than a full set of measurements, we we compute expected measurements using attest-measure's expected_dcap_registers function based on the platform metadata and image hashes.

There are still a lot of things missing from this PR, and currently some very similar types are duplicated between this repo's attestation crate and attest-types. There is a little bit of friction there with wanting to maintain compatibility with our current measurement policy JSON format (for the attestation type names) and some things which i just didn't get to yet. But potentially this can become a lot neater, and we can lean more on the functionality in the attest repo.

Related issue: #40
Paired PR in attest: Easy-TEE/attest#12

TODO:

• Test on GCP deployment.
• See what else we need to do to support Azure for portable measurements (where we have image hashes rather than PCRs in policy). As far as i can see, DcapImageHashes is DCAP specific because the azure measure function expects 256 bit hashes rather than 384. So probably we just need to document that Azure is not supported for portable image hashes.
• Consider also bailing for 'Self-hosted' (non-GCP) 'portable' policies, as this is not fully tested. Or at least document that it is experimental.
• Deduplicate types (AttestationType, AttestationEvidence / AttestationExchangeMessage) between attestation and attest. The issue is representing the NoAttestation case. Potentially we can use Option. Also potentially an issue with adding Nitro support in Add experimental support for AWS Nitro #45
• Improve testing / consider approach to mock platform metadata
• Consider dropping support for attestations encoded as Dstacks/ra-tls VersionedAttestationformat. Or at least document that these will not work with 'portable' measurement policies due to the missing platform metadata.
• Check error handling logic related to missing mrtd / rtmr0 values returned from expected_dcap_registers.