For ease of use, add optional support for having fs-verity handle a
portion of the authentication policy in the kernel.  A ".fs-verity"
keyring is created to which trusted X.509 certificates can be added;
then a sysctl 'fs.verity.require_signatures' can be set to cause the
kernel to enforce that all fs-verity files contain a signature of their
file measurement, signed by a key in this keyring.

See Documentation/filesystem/fsverity.rst for more information,
namely the "Built-in file signatures" section.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>