Enable mapping extra TCB and SC caps into PD's

[Kswin01]

This PR adds functionality to map arbitrary TCB and SC caps of other PD's into another PD. This can allow a user to share a SC cap of one PD to another without having to explicitly make the destination PD the parent (and therefore have to also handle faults of the child).

Adding a cap to a PD requires adding a <cap/> node to a PD:

    <protection_domain name="parent" priority="55">
        <program_image path="parent.elf" />
        <cap type="tcb" pd="child" dest_cspace_slot="5" />
        <cap type="sc" pd="parent" dest_cspace_slot="6" />
    </protection_domain>

You must specify the type of cap (currently only implemented for TCBs and SCs but can be extended in the future). Additionally, the name of the pd that is the source of that cap. The destination cspace slot is an index into the BASE_USER_CAPS region of the cspace.

This PR is also reflected in: https://github.com/au-ts/microkit_sdf_gen/tree/cap_sharing

[Indanz]

As you can see from the comments, I don't know Rust, so take everything I say with a big grain of salt. But I'm pretty sure it doesn't need to be quite this ugly.

[midnightveil]

Remaining work on this to get this merged:

• Test example
• Documentation
• Make the "user caps" its own cnode that is dynamically sized, there's no reason to limit this (see also: the untypeds PR).
• Bikeshed the appearance (thought: instead of <cap>, doing a <extra_caps> element with child (<endpoint>) or (<sc>); this would allow more fine grain attribute on the different cap types, instead of smooshing everything onto one <cap> element. (edit: <cnode element?)

Desired additions in later PRs.

• remove PD hierarchy. To do this we want to add a feature to automatically migrate one .system file to another; there should be no need for this to be manual user.
• Make it a fully functional replacement for the PD hierarchy. i.e. allow the fault endpoints to be set up arbitrarily. (it might make sense for this not to be the <extra_caps>, IDK