vTPM service attestation is described in section 8.3 of "Secure VM
Service Module for SEV-SNP Guests, Publication #58019 Revision: 1.00
Issue Date: July 2023". It certifies the Endorsement Key (EK) of the
vTPM by providing the TPMT_PUBLIC structure of the EK. This is crucial
for downstream projects like Keylime, as the SVSM vTPM lacks an EK
certificate found in physical TPMs to anchor trust.

The attestation is part of the SVSM Attestation Protocol and uses the
SVSM_ATTEST_SINGLE_SERVICE call (see section 7 of the specifications).
It is triggered by making an SVSM_ATTEST_SINGLE_SERVICE call with the
GUID set to c476f1eb-0123-45a5-9641-b4e7dde5bfe3. The attestation code
returns the VMPL0 attestation report and the vTPM Service Manifest Data
Structure (TPMT_PUBLIC structure of the EK). The REPORT_DATA in the SNP
attestation request is the SHA-512 digest of the input nonce and the
vTPM Service Manifest Data Structure.

The vTPM initialization function was modified to generate an RSA
2048-bit EK from the TPM's Endorsement Primary Seed (EPS) and cache the
public key as a TPMT_PUBLIC structure. This cached EK public key can be
retrieved later for vTPM service attestation. The EK is created with
the TCG default EK template (see Table 4 of the "TCG EK Credential
Profile For TPM Family 2.0; Level 0 Version 2.5 Revision 2.0"). Since
the EK is derived from the EPS, it can be recreated upstream at any
time. For example, the same EK can be recreated in an OS using the TSS2
command "tpm2_createek -c ek.ctx -G rsa -u ek.pub" and compared against
the one returned by vTPM service attestation.

vTPM service attestation as specified can only return one type of EK, so
the implementation supports RSA 2048-bit EK as defined in Table 4 of
the "TCG EK Credential Profile For TPM Family 2.0; Level 0 Version 2.5
Revision 2.0," which is the most common Trusted Computing Group(TCG) EK
type.

Resolves coconut-svsm#437, resolves coconut-svsm#361

Signed-off-by: Geoffrey Ndu <[email protected]>