Implement CI tests for FIPS-mode 6.1 guest kernels

[deRemo]

Changes

Enable FIPS-mode testing for 6.1 guest kernels. This includes:

Test infrastructure changes to support FIPS testing:

• Add FIPS-compatible SSH options (KexAlgorithms=ecdh-sha2-nistp521, HostKeyAlgorithms=rsa-sha2-512, PubkeyAcceptedAlgorithms=rsa-sha2-512, cipher aes256-ctr) to the SSH connection helper
• Explicitly specify FIPS-compliant RSA 2048-bit key type when downloading the artifacts
• Added uvm_with_fips and fips_snapshot_pair fixtures in tests/conftest.py

FIPS integration testsuite to verify:

• FIPS mode is enabled in the guest kernel
• FIPS RNG reseeding is logged on snapshot restore
• Kernel CSPRNG (/dev/urandom) diverges across two VMs restored from the same snapshot
• Userspace CSPRNG (Python's secrets module) diverges across two VMs restored from the same snapshot

Reason

• Add integration tests that validate correct FIPS behavior

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

• I have read and understand CONTRIBUTING.md.
• I have run tools/devtool checkbuild --all to verify that the PR passes
  build checks on all supported architectures.
• I have run tools/devtool checkstyle to verify that the PR passes the
  automated style checks.
• I have described what is done in these changes, why they are needed, and
  how they are solving the problem in a clear and encompassing way.
• I have updated any relevant documentation (both in code and in the docs)
  in the PR.
• I have mentioned all user-facing changes in CHANGELOG.md.
• If a specific issue led to this PR, this PR closes the issue.
• When making API changes, I have followed the
  Runbook for Firecracker API changes.
• I have tested all new and changed functionalities in unit tests and/or
  integration tests.
• I have linked an issue to every new TODO.

---

• This functionality cannot be added in rust-vmm.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.91%. Comparing base (330bb5e) to head (9f1cbf2).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5888   +/-   ##
=======================================
  Coverage   82.91%   82.91%           
=======================================
  Files         277      277           
  Lines       30077    30077           
=======================================
  Hits        24937    24937           
  Misses       5140     5140           

Flag	Coverage Δ
5.10-m5n.metal	83.21% <ø> (+<0.01%)	⬆️
5.10-m6a.metal	82.55% <ø> (+<0.01%)	⬆️
5.10-m6g.metal	79.85% <ø> (-0.01%)	⬇️
5.10-m6i.metal	83.21% <ø> (ø)
5.10-m7a.metal-48xl	82.54% <ø> (+<0.01%)	⬆️
5.10-m7g.metal	79.85% <ø> (ø)
5.10-m7i.metal-24xl	83.19% <ø> (+0.01%)	⬆️
5.10-m7i.metal-48xl	83.19% <ø> (+<0.01%)	⬆️
5.10-m8g.metal-24xl	79.85% <ø> (ø)
5.10-m8g.metal-48xl	79.85% <ø> (ø)
5.10-m8i.metal-48xl	83.18% <ø> (+<0.01%)	⬆️
5.10-m8i.metal-96xl	83.18% <ø> (+<0.01%)	⬆️
6.1-m5n.metal	83.24% <ø> (+<0.01%)	⬆️
6.1-m6a.metal	82.57% <ø> (ø)
6.1-m6g.metal	79.85% <ø> (ø)
6.1-m6i.metal	83.24% <ø> (+<0.01%)	⬆️
6.1-m7a.metal-48xl	82.57% <ø> (-0.01%)	⬇️
6.1-m7g.metal	79.85% <ø> (-0.01%)	⬇️
6.1-m7i.metal-24xl	83.24% <ø> (+<0.01%)	⬆️
6.1-m7i.metal-48xl	83.25% <ø> (+<0.01%)	⬆️
6.1-m8g.metal-24xl	79.84% <ø> (-0.01%)	⬇️
6.1-m8g.metal-48xl	79.84% <ø> (-0.01%)	⬇️
6.1-m8i.metal-48xl	83.25% <ø> (+<0.01%)	⬆️
6.1-m8i.metal-96xl	83.25% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.