tests: enable secure boot provisioning of cm4

[rcooke-warwick]

Enables the secure boot provisioning of cm4

It was difficult to come up with something more generalised due to not having many examples to work with. Requires the following PRs to work:

• etcher sdk changes: minor: allow passing custom assets to start SB protected CM4 balena-io-modules/etcher-sdk#324
• Autokit sw package changes: make necessary changes for cm4 secure boot balena-io-hardware/autokit-interface-sw#87 that use these
• legacy testbot sdk update to support node 18: Update to Node 18 balena-io-hardware/testbot-sdk-sw#55
• leviathan worker update to go to node 18 and include the autokit + testbot package changes: Update dependencies for node 18 and update autokit-sdk to 1.0.31 leviathan-worker#113 (push this PR to your worker to use this workflow)
• leviathan update to expose the FLASHER_SECUREBOOT env var for non-qemu test runs: allow for secureboot flasher env var for non-qemu runs leviathan#1183 (merged, can use latest leviathan with make test FLASHER_SECUREBOOT=1 to use this workflow)

It also requires copying the secure-boot-msd folder into the suites directory before running the tests - either in the jenkins config scripts or manually if running locally

Also required, as shown in the changes to the leviathan config.js in this PR , you must add artifacts: <name of the artifact folder in your config.js. So for example, if you have copied secure-boot-msd into your suites folder, then you must add artifacts: 'secure-boot-msd' . This will send the entire contents of that folder to the worker, placing them in the worker /data volume for use by the autokit (or whatever else is desired)

notes on flashing:

• currently un-tested with locking the CM
• don't be alarmed if the suite gets stuck either trying to find the worker or trying to execute a command over SSH after flashing is "done" - after flashing and powering on the cm4 runs the flasher image first to flash itself, then reboots into the normal image and then operates normally.

---

Contributor checklist

• Changes have been tested
  • Covered in automated test suite
  • Manual test case recorded
• Change-type present on at least one commit
• Signed-off-by is present
• The PR complies with the Open Embedded Commit Patch Message Guidelines

Reviewer Guidelines

• When submitting a review, please pick:
  • 'Approve' if this change would be acceptable in the codebase (even if there are minor or cosmetic tweaks that could be improved).
  • 'Request Changes' if this change would not be acceptable in our codebase (e.g. bugs, changes that will make development harder in future, security/performance issues, etc).
  • 'Comment' if you don't feel you have enough information to decide either way (e.g. if you have major questions, or you don't understand the context of the change sufficiently to fully review yourself, but want to make a comment)

[alexgg]

I think we should not make the artifacts directory a secure boot only tool - what do you think?

[alexgg]

I have rebased these changes onto https://github.com/balena-os/meta-balena/pull/3436/commits

[alexgg]

Also, all mentioned required PRs have already been merged.