DCAP attestation: Add GCP provenence check to establish whether the associated PPID is endorsed by Google

[ameba23]

This will not yet work, but is in anticipation of GCP publicly publishing PPIDs of their TDX machines. Do not merge until this is available and has been tested in production.

When verifying an attestation which claims to be of type AttestationType::GcpTdx this PR adds an additional check as to whether the PPID from the PCK certificate included in the attestation is present in GCP's [soon to be] public bucket, which indicates that the PPID belongs to them.

To avoid unnessary network calls on subsequent verifications, known GCP PPIDs are cached.

TODO:

• Add timestamp checks / validity window
• Validity window for cached PPIDs (store timestamp in cache)
• Fix measurement policy to explicitly match GCP attestation type - otherwise this check is useless
• Review against the Go implementation: https://github.com/google/go-tdx-guest/tree/main/tools/provenance
• Tests - do we check PPID extraction with our existing DCAP test assets?