Add checking of TCB version when checking a SNP attestation

[cjen1-msft]

SNP attestation reports are checked by verify_snp_attestation_report but only validates that the TCB in the attestation report matches that in the endorsed_tcb field in the quote.

The 'correct' fix will probably be to add a new set of 'good' tcbs.
This can then get populated with the current TCB on network creation and then updated via a governance action.

[cjen1-msft]

This should also mix the TCB version into any derived keys (#6791).

[cjen1-msft]

From: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html
We should be require at least TCB[SNP] version 0x18 on Milan and 0x17 on Genoa.