MS1 of ShutterTEE: encrypt persistence

[RmbRT]

This is a port from the previous efforts at https://github.com/perun-network/shutter which mistaknely targeted the old repository. It would be good to mark the old repository as out of use, and to mark the rolling-shutter repository as being the thing that's now relevant. Sadly, due to the wildly different scheme for persistence, almost none of the effort besidse the tee package could be copied over.

For the review, I recommend to first look in detail at the keyper/tee package, and then look at the rest of the changes. The README in the tee package gives additional information and context about the project, as do the package comments of the tee package. These clearly state the intended security properties and effects. Since we are not overly familiar with the nuances of Shutter, please also check whether we missed any sensitive fields.

Steps taken:

• Add a HW encryption layer in keyper/tee, which either does nothing, or, if a TEE is present, uses hardware encryption. This layer wraps around some (de)serialisation functions. TEE programs can load encrypted and plaintext data via that layer, so it can seamlessly migrate from legacy execution.
• Searched for instances of sensitive data being stored or loaded from the database, and then made their encoding TEE-aware. Luckily, this did not require any changes to the SQL schema definitions.
• Made the text encodings of secret keys use HW encryption, so that no secret key should end up in plaintext in a config.
• Added a general overview of the ShutterTEE project in the keyper/tee README.