Secure booting of virtualization managers

What is claimed is: 1. A method, comprising: performing, at one or more components of a first offload card of a virtualization host: initiating a first phase of a multi-phase boot operation of a virtualization manager of the virtualization host, wherein the first phase comprises using a first key pair to validate at least one firmware program, wherein a first key of the first key pair is stored in a tamper-resistant portion of the first offload card; in response to determining that the first phase has completed successfully, initiating a second phase of the multi-phase boot operation, wherein the second phase comprises (a) measuring one or more firmware programs using a security module and (b) launching a first version of a virtualization coordinator at the first offload card; utilizing a particular key, obtained from the security module by the first version of a virtualization coordinator, to obtain a different version of the virtualization coordinator from a storage device; launching the different version of the virtualization coordinator at the first offload card; initializing one or more other components of the virtualization manager to complete the multi-phase boot operation, including at least one component which runs at a processor which is not installed on the first offload card; and instantiating, by the virtualization manager after the multi-phase boot operation has completed successfully, a guest virtual machine at the virtualization host in response to a command from a control plane component of a virtualized computing service of a provider network. 2. The method as recited in claim 1 , wherein the one or more other components comprise a hypervisor which runs at one or more CPUs of the virtualization host. 3. The method as recited in claim 1 , wherein the one or more other components of the virtualization manager comprise a device configured to offload network processing operations from one or more CPUs of the virtualization host. 4. The method as recited in claim 1 , further comprising: establishing a secure communication session between the virtualization host and an identity service of the provider network; in response to a request from the identity service, obtaining, by the one or more components of the first offload card from the security module, a signed payload based at least in part on (a) an attestation identity key and (b) one or more platform configuration registers; and providing the signed payload to the identity service to enable an enrollment of the virtualization host in a public key infrastructure of the virtualized computing service. 5. The method as recited in claim 1 , wherein said instantiating the guest virtual machine comprises: communicating between the one or more components of the first offload card and the one or more other components of the virtualization manager via one or more of: (a) a Peripheral Component Interconnect-Express (PCI-E) bus, (b) a QuickPath interconnect (QPI) or (c) an UltraPath interconnect (UPI). 6. A system, comprising: a virtualization host of a computing service of a provider network, wherein the virtualization host comprises a first offload card, wherein the first offload card comprises one or more processors and memory configured to implement one or more components of a virtualization manager; wherein the one or more components of the virtualization manager are configured to: initiate a first phase of a multi-phase boot operation of the virtualization manager, wherein the first phase comprises using a first key pair, wherein a particular key of the first key pair is stored in a tamper-resistant location; in response to determining that the first phase has completed successfully, initiate a second phase of the multi-phase boot operation, wherein the second phase comprises (a) measuring one or more firmware programs using a security module and (b) launching a first version of a virtualization coordinator via the one or more processors and memory at the first offload card; obtain, using the first version of the virtualization coordinator, a different version of the virtualization coordinator; launch the different version of the virtualization coordinator at the first offload card; and initialize one or more other components of the virtualization manager to complete the multi-phase boot operation, including at least one component which runs at a processor which is not installed on the first offload card. 7. The system as recited in claim 6 , wherein the one or more other components comprise a hypervisor which runs at one or more CPUs of the virtualization host. 8. The system as recited in claim 7 , wherein the hypervisor comprises one or more quiescent processes configured to defer one or more categories of virtualization operations until a guest virtual machine of the virtualization host has relinquished control of a CPU. 9. The system as recited in claim 6 , wherein a second key of the first key pair is stored at a hardware security module appliance external to the virtualization host. 10. The system as recited in claim 6 , wherein the virtualization host is located at a data center external to the provider network. 11. The system as recited in claim 6 , wherein the one or more other components of the virtualization manager comprise a system-on-chip configured to perform network processing operations. 12. The system as recited in claim 6 , wherein the one or more other components of the virtualization manager are configured to: determine that a request to validate a version of a particular program running on the virtualization host has been transmitted by a control plane component of the computing service; and cause a response to the request to be generated, wherein the response comprises data obtained from the security module. 13. The system as recited in claim 6 , wherein after the multi-phase boot operation is completed, the virtualization coordinator at the first offload card is configured to: initiate a launch of a guest virtual machine at the virtualization host; determine that an additional version of a particular component of the virtualization manager is available; and initiate a live update of the particular component to the additional version, wherein the guest virtual machine continues to run during at least a portion of the live update. 14. The system as recited in claim 6 , wherein the one or more components of the virtualization manager are configured to: determine, prior to obtaining the different version of the virtualization coordinator, that a storage area designated for updated versions of the virtualization coordinator has not been secured using an encryption key; generate, using the security module, an encryption key for the storage area; cause the encryption key to be sealed at the security module; and utilize the encryption key for one or more subsequent accesses to the storage area. 15. The system as recited in claim 6 , wherein the one or more components of the virtualization manager are configured to: establish a secure communication session with an identity service of a provider network; in response to a request from the identity service, obtain, from the security module, a signed payload based at least in part on (a) an attestation identity key and (b) one or more platform configuration registers; and provide the signed payload to the identity service to enable an enrollment of the virtualization host in a public key infrastructure of the computing service. 16. A non-transitory computer-accessible storage medium storing program instructions that when executed on one o