Feature add VTPM support for runc container

[everzakov]

This issue is to bind the creation of virtual TPM devices with container creation. The virtual TPM devices can be used to perform attestation (e.g using the Direct Anonymous Attestation protocol).
The virtual TPM devices are simulated by swtpm_cuse binary (vTPM device is created by CUSE) and independent from a container namespace.
The initial state of vTPM device can be prepopulated by swtpm_setup binary (e.g create EK key pair, EK + platform certs).
After the vTPM devices are created, the /dev/tpm + vTPMName will be passed to the container. In order to pass different vTPM devices with the same container path to the different containers, the initial device host path is generated.

This feature requires root rights so it can not be performed with rootless containers. However, the generated device host path can be passed to the unshared user namespace with mapped root user.
Because the swtpm_cuse binary is running always with the life a container, then it is restricted by apparmor profile.

Also, there is a restriction to run runc in a container because all vTPM device major and minor should be predefined (and they should be passed to the container cgroup device allow list).

The steps to implement before merging the feature:

• Merge vTPM config to runc
• Merge vTPM config to runtime-spec
• Fix a bug with swtpm_cuse to acquire file lock after forking the main process.
• Fix a bug with google/go-tpm to read EK cert from a vTPM device version 1.2.

[stefanberger]

I would recommend to use swtpm chardev --vtpm-proxy instead.