resin-init-flasher: with secure boot, authenticate the inner image

[mtoman]

At this moment resin-init-flasher just takes whatever image lies in /opt and dd's it to the target drive. This is fine for general use, but with secure boot enabled, we want to perform at least basic authentication of the image being written.

This patch gets the image signed at build time and makes flasher verify the signature against a key built-in the kernel trust store. At this very moment it fails hard if the signature does not match, but this may change in the future. Technically we only want to know if we are about to flash a balena-provided image or not, we might want to support both but behave slightly differently in each scenario.

---

Contributor checklist

• Changes have been tested
  • Covered in automated test suite
  • Manual test case recorded
• Change-type present on at least one commit
• Signed-off-by is present
• The PR complies with the Open Embedded Commit Patch Message Guidelines

Reviewer Guidelines

• When submitting a review, please pick:
  • 'Approve' if this change would be acceptable in the codebase (even if there are minor or cosmetic tweaks that could be improved).
  • 'Request Changes' if this change would not be acceptable in our codebase (e.g. bugs, changes that will make development harder in future, security/performance issues, etc).
  • 'Comment' if you don't feel you have enough information to decide either way (e.g. if you have major questions, or you don't understand the context of the change sufficiently to fully review yourself, but want to make a comment)