Signing enclave images with HSM/KSM

[yoavj1]

Currently the only option to sign an enclave image is to pass the private key and the certificate to build-enclave command. However, it prevents storing the key in a secure storage like HSM or KSM, and using it only for signing without retrieving the key itself.
One solution is to allow to add the signature after the enclave was created, so the signature can be produced independently from the enclave creation.

[petreeftime]

Thank you for the feature request. There are two topics here:

1. Signing with an AWS KMS asymmetric key (and/or maybe a key from an HSM or Nitro Enclave :) ).
2. Attaching/replacing a signature to an already created image.

[gal-fordefi]

@petreeftime I guess that now, that you merged awslabs/aws-nitro-enclaves-cose#5, it's possible to add the requested functionality to the CLI.

[petreeftime]

Yes, it should be possible to add support for this.