Use AES GCM for kernel encryption to ensure integrity

[MarcusGrass]

Fixes https://github.com/MarcusGrass/boot-rs/issues/1. Encrypts kernel using AES GCM to ensure integrity of the decrypted payload.

Not a lot of meaningful changes outside of the IV/nonce going from 16 to 12 bytes, some drive-by clippy cleanups.

[MarcusGrass]

Sorry for the delay, it's bin a lot lately, now the encryption details are baked into the encrypted blob header!

[MarcusGrass]

I'll settle for this for now, having both the salt and nonce in the header is unnecessary, but I think I'll have to rethink the header anyway. Ideally it would have a flexible length so that the header could be parsed in a backwards compatible way if stuff changes in it. I was thinking about duplicating the header as a footer to prevent bit-rot making the kernel unbootable, then again maybe that's not the biggest issue when it's just a single file that can fairly easily be rebuilt.

Ideally I'll figure out a way not to include any configuration into to the bootloader binary, but for that I have to find a way to navigate the vfat filesystem on the UEFI-level, if I can do that, the build step would be a lot simpler, initially, an initramfs.cfg could be generated, then any time you change the kernel you just run boot-strap without needing to recompile the bootloader, that way it could more easily go into a mkinitcpio or whatever else.

Funnily, the project structure is messy because it started as just an initramfs in Rust, then I started looking at the bootloader, then merged the projects, so it's a bit strange overall.

It probably should be separate things, but it's difficult to separate if encryption is present, at least without looking at decrypting a luks partition. That might not necessarily be so hard, but I haven't looked into it yet. It has to be done at the UEFI-level, which is always a bit of a hassle.

I think the main improvements that would make this usable is to figure out if I can find cwd in UEFI, if I can do that we don't need any data inserted into the bootloader binary. Secondly, figuring out how to pass kernel parameters when starting the UEFI-image is important to be able to support an initramfs that's not compiled into the kernel.

But as always, first make it work, then make it good. I think having correct encryption is prio 1, thank you a lot for the help with that!