Mount /var/cache/amd-sev/ into the GHA runner

[connorkuehl]

This machine is a CI machine and a developer machine. The CI invalidates any cached certificate chains. For this to scale beyond 1 developer, we need the CI to leave the system in the same state that it found it in.

• [x] sevctl is packaged in copr repo for use in Enarx kickstart
• [x] Enarx kickstart caches the certificate chain to /var/cache/amd-sev/chain
• [x] Enarx kickstart mounts /var/cache/amd-sev/:/var/cache/amd-sev into the GHA runner container
• [x] sev tests stop invalidating cached chain
• [ ] enarx-keepldr CI stops caching its own chain to ~/.cache/var/amd-sev/chain (these steps should be removed entirely from CI)

After this is fixed, developers should remove their home-dir cached chain: rm ~/.cache/amd-sev/chain and in most cases, can stop caching it there manually entirely.

Ultimately the goal here is to start caching it in a system-wide location rather than expecting developers to manually cache this in their home dir.

[haraldh]

So, here is my thought of a user experience:

search:

• iterate through the paths, until it finds one that exist
• check if that cache is valid
• if not, report to the log/user, that there is an invalide cache file and goto search

if no cache file was found, perform the expensive operation and create one, where the app has permissions to do so.

[connorkuehl]

I'm worried that re-entering the search would only encourage users to leave redundant certificate chains on the system.

I think if we only leave a certificate chain in /var/amd-sev/chain by convention, the certificate chain management will be entirely transparent to developers and CI.