Verify signer of measurement from SEV-SNP attestation

[DomAyre]

We currently verify that a measurement, which is a digest of the UVM, matches exactly a known good measurement.

Since UVM updates can happen outside of the users control, this is a fairly brittle system, without telling us too much about the trustworthiness of the node being attested. It would be better to instead verify that the measurement is signed by a trusted entity (via a trusted chain or otherwise). This would give us confidence that the UVM is in a known good state in a way that is also auditable.

We will need to allow the user to configure the root of trust, which likely means a new table to record roots of trust (could initially hardcode the MS one)