podvm: retrieve guest-components via ORAS

[mkulke]

~Note: draft until GC 731 and #2064 have been merged~

In this change the artifacts are being retrieved from guest-component's ORAS now. Hence the rust build infrastructure can be removed with this change.

There is an option to verify the provenance of the guest component artifacts that we download as part of the build. It is opt-in, you have to set VERIFY_PROVENANCE=yes when building a podvm. There are respective build flags on the src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora and the src/cloud-api-adaptor/podvm-mkosi/Makefile. Currently only the azure-podvm-image-build ci workflow has the provenance checks enabled.

There are some notable changes:

• guest-component exposed the TEE_PLATFORM param on its top level build script, which we use to pull the correct artifact. Since we don't build attestation-agent directly anymore the ATTESTER param has been removed from the projects build scripts
• in versions.yaml kata and guest-components have been moved from the "git" section to the "oci" section, however since the tag is dynamic, we also provide a "reference" field in those entries.

[wainersm]

The required PRs were merged but oras images aren't published yet (https://github.com/confidential-containers/guest-components/actions/workflows/publish-artifacts.yml) due a bug on setup-oras action (https://github.com/oras-project/setup-oras/pull/57); so I could not test this yet.

[stevenhorsman]

@mkulke - in case you hadn't spotted it, this needs a rebase to pick up the KBS version change from #2099 and resolve the conflict. Thanks and let's hope we can get this merged today 🤞