enclaver trust to output attestation document from a given image

[robszumski]

Add a new command to make it easy to get an attestation document from an enclave image. You may want this to compare to what you are running, what was built from CI, or as the input to a KMS policy.

$ enclaver trust registry.example.com/my-app:v1.0
{
  "Measurements": {
    "HashAlgorithm": "Sha384 { ... }",
    "PCR0": "7fb5c55bc2ecbb68ed99a13d7122abfc0666b926a79d5379bc58b9445c84217f59cfdd36c08b2c79552928702efe23e4",
    "PCR1": "235c9e6050abf6b993c915505f3220e2d82b51aff830ad14cbecc2eec1bf0b4ae749d311c663f464cde9f718acca5286",
    "PCR2": "0f0ac32c300289e872e6ac4d19b0b5ac4a9b020c98295643ff3978610750ce6a86f7edff24e3c0a4a445f2ff8a9ea79d",
    "PCR8": "70da58334a884328944cd806127c7784677ab60a154249fd21546a217299ccfa1ebfe4fa96a163bf41d3bcfaebe68f6f"
  }
}

Remove mentions if this does not move forward:

• Calculating Cryptographic Attestations on architecture docs
• Inner Proxy on architecture docs
• Here's an example of an attestation: on app guide docs

For folks testing on a personal AWS account, it would be nice to have this command take in an existing KMS policy to update, similar to this pseudocode:

$ aws kms get-policy | enclaver trust --kms | aws kms update-policy
Policy updated

enclave run could also take in a policy to check, as explored in #35