Test: Protected VM fails if images are signed by unknown

Arrange:
- prepare VM images signed with a test key
Act:
- start a protected VM
Assert:
- a boot process fails due to pubkey mismatch between pvmfw and
  bootloader

Bug: 218934597
Test: atest MicrodroidHostTestCases
Change-Id: I05755ddf32839ef531ca9a11b2939bbc251ff1fb
diff --git a/microdroid/payload/mk_payload.cc b/microdroid/payload/mk_payload.cc
index fd1ce78..6e3f526 100644
--- a/microdroid/payload/mk_payload.cc
+++ b/microdroid/payload/mk_payload.cc
@@ -269,24 +269,34 @@
 }
 
 int main(int argc, char** argv) {
-    if (argc != 3) {
-        std::cerr << "Usage: " << argv[0] << " <config> <output>\n";
+    if (argc < 3 || argc > 4) {
+        std::cerr << "Usage: " << argv[0] << " [--metadata-only] <config> <output>\n";
         return 1;
     }
+    int arg_index = 1;
+    bool metadata_only = false;
+    if (strcmp(argv[arg_index], "--metadata-only") == 0) {
+        metadata_only = true;
+        arg_index++;
+    }
 
-    auto config = LoadConfig(argv[1]);
+    auto config = LoadConfig(argv[arg_index++]);
     if (!config.ok()) {
         std::cerr << "bad config: " << config.error() << '\n';
         return 1;
     }
 
-    const std::string output_file(argv[2]);
-    const std::string metadata_file = AppendFileName(output_file, "-metadata");
+    const std::string output_file(argv[arg_index++]);
+    const std::string metadata_file =
+            metadata_only ? output_file : AppendFileName(output_file, "-metadata");
 
     if (const auto res = MakeMetadata(*config, metadata_file); !res.ok()) {
         std::cerr << res.error() << '\n';
         return 1;
     }
+    if (metadata_only) {
+        return 0;
+    }
     if (const auto res = MakePayload(*config, metadata_file, output_file); !res.ok()) {
         std::cerr << res.error() << '\n';
         return 1;