Implement trussed-auth API

[sosthene-nitrokey]

Since this is amongst the most security-sensible parts of the entire backend, it should be thoroughly reviewed.

See the se050 notes and key derivation schema on the nextcloud for the approach taken.

[sosthene-nitrokey]

I've tested this in the firmware and it appears to work reliably, though the initial testing did lead to inconsistent state between the filesystem and the SE050 which lead to failures, this suggests that some improvements to error handling could be done and that a full device factory reset will likely be useful, at least to expose the factory reset of the SE050 some way for developers.

[tlaurion]

@sosthene-nitrokey ELI5 here would be really really appreciated for downstream projects.
What are the impacts? improvements? general status outside of reviewing the implementation? What is usable, time generation of lets say RSA3076/RSA4096 keys?

Sorry for the request, but I would prefer high level explanation then to dig down this rabbit hole and follow the rabbit.

[sosthene-nitrokey]

This repo will contain an implementation of the trussed APIs through the SE050 secure element rather than the current software implementation.

This PR adds an implementation of the russed-auth APIs.
This API provides:

• Pin handling (creation and verification)
• Key derivation from PINs (in this case, rather protecting a key with a PIN).

Future PR will implement the required APIs for asymmetric crypto operations (ECC and RSA), and key wrapping.

This is currently heavily WIP and should not be used in production.

[tlaurion]

Heads users having bought NK3 keys are starting to ask questions on traditional communication channels. I answered the best I could.

Crosslinking to linuxboot/heads#1469

[sosthene-nitrokey]

Ok, I understand. You are asking whether this will allow supporting RSA3072 generated on the device for heads support.

This work will indeed lead to that, but in another PR.