Introduce a KeyManager (#2990)

The `KeyManager` will be used by sled-agent to retrieve rack secrets via
an implementation of a `SecretRetriever` and generate derived keys.

Currently the only keys produced are those necessary for U.2 drive
encryption, and follow the derivation scheme in section 4 of RFD 301.

For initail implementation, input key material (IKM) will be retrieved
from a `SecretRetriever` backed by a sled local mechanism. Future
implementations of `SecretRetriever` will use the trust quorum rack
secret retrieved from the bootstore.

Cargo.toml

@@ -22,6 +22,7 @@ members = [
     "installinator-common",
     "internal-dns",
     "ipcc-key-value",
+    "key-manager",
     "nexus",
     "nexus-client",
     "nexus/authz-macros",
@@ -79,6 +80,7 @@ default-members = [
     "installinator-common",
     "internal-dns",
     "ipcc-key-value",
+    "key-manager",
     "nexus",
     "nexus-client",
     "nexus/authz-macros",
@@ -264,6 +266,7 @@ rustfmt-wrapper = "0.2"
 rustls = "0.21.1"
 samael = { git = "https://github.com/njaremko/samael", features = ["xmlsec"], branch = "master" }
 schemars = "0.8.12"
+secrecy = "0.8.0"
 semver = { version = "1.0.17", features = ["std", "serde"] }
 serde = { version = "1.0", default-features = false, features = [ "derive" ] }
 serde_derive = "1.0"

key-manager/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "key-manager"
+version = "0.1.0"
+edition = "2021"
+license = "MPL-2.0"
+
+[dependencies]
+async-trait.workspace = true
+hkdf = "0.12.3"
+secrecy.workspace = true
+sha3.workspace = true
+sled-hardware.workspace = true
+thiserror.workspace = true
+tokio.workspace = true
+zeroize.workspace = true
+