Implement trusted time API in Oak runtime

[tiziano88]

We should have an API available to the Oak Runtime nodes (and also probably also exposed as a WebAssembly function) to retrieve the current time in a trusted way. In C++ this may be used to validate HTTPS certificate and other time-based assertions. In WebAssembly it may be used by application developer as part of the application logic.

A possible approach would be to use roughtime and hardcode a number of server endpoints (and their certificates) in the Oak Runtime itself, and use a threshold (k out of n) to periodically request a trusted wall-clock time reference. Then we can use internal relative timer in SGX to keep counting between those trusted references.

See also:

• https://github.com/intel/linux-sgx/issues/161
• https://developers.cloudflare.com/roughtime/docs/recipes/
• https://roughtime.googlesource.com/roughtime

[conradgrobler]

The first implementation will use roughtime:

• The c++ client is not as feature-rich as the go client and does not support chaining, so the first version will make multiple independent calls to the servers in the list (probably in randomised order).
• V1 will use a hardcoded list of n servers (probably 3 for now). Future versions could look at making this configurable (possibly as part of the policy system).
• We will filter our any where the radius is above some max size (TBD)
• If we find an overlap between the ranges of at least k servers (probably 2 for now) we will use the middle of the overlapping interval. Otherwise just fail.
• To check: Can requests happen in parallel? If not is the radius big enough so that we will have overlap if reuqests happen sequentially and some take long?

As a later addition, acccess to sgx trusted time will be added:

• Trusted time only provides relative time, so can be used to an calculate offset from time received by roughtime to the current time.
• Trusted time has resolution of 1 second
• According to some comments on the Intel discussion this could take 10 seconds to run the first time, and more than a second for each subsequent request.
• If the returned nonce changes, we can no longer trust the time interval and need to get new rough time again.

C++ API will provide finer-grained control, with separate calls to roughtime and sgx trusted time.

The API exposed to web assembly will be simplified with a single call, which would try and optimise the request using either roughtime or sgx trusted time as appropriate.

[conradgrobler]

Initial roughtime client is implemented.

[conradgrobler]

The SGX trusted time is no longer supported on Linux, so there is not point in trying to implement support for it. We can revist the issue later when new options become available.

[daviddrysdale]

Roughtime client functionality made available to Oak Nodes as a pseudo-Node in #845