Marking get_evidence as async allows running async functions from an
attester. There are two motivators for this:

- TDX report->quote conversion can require an HTTP request, and it's a
  good idea to run that async.
- as we move to support the RATS passport model better the attester
  itself might need to talk to MAA or Amber to fetch an attestation
  token.

If get_evidence is not async, then it becomes tricky to use reqwest from
get_evidence. reqwest::blocking::Client panics because it internally
uses tokio and get_evidence is called from a tokio runtime.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>

This is equally good as a check if the TDX attester should be used.  An
additional consideration is that while we can check for "known" device node
names, there is no way to specify which ones the Intel SGX libraries use
(hardcoded in C source) and the ioctl API also differs for the different names,
including for the /dev/tdx_guest device that was upstreamed.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>

To get TDX attestation to work on Azure there are several changes
needed:
- the device node is called /dev/tdx_guest (upstream kernel name)
- quote generation uses the IMDS (instance metadata service) instead
  of tdvmcall or vsock. This also means we can't use tdx_att_get_quote
  which combines quote and report fetching
- no CCEL

Implement the evidence gathering in a sub-module attester, but keep it
within the TDX module because the evidence is fully compatible with the
existing TDX verifier.

It would be possible to use tdx_att_get_report, but calling an ioctl is
easy enough that it doesn't make sense to add the dependency on the
native library. The Intel library also seems to have an outdated
definition of the ioctl.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>