composefs fsverity should be configurable

[cgwalters]

Today the composefs backend basically does "enable fsverity if we can" by default. In the code, there is a proper enum but AFAICS it is not exposed via e.g. storage.conf or otherwise.

In contrast in ostree, we did make this explicitly configurable.

(queue the overall problem that we need to unify ostree and c/storage)

Different system operators, may reasonably want distinct things:

• Some may want to disable fsverity even on filesystems (e.g. btrfs, xfs) that support it today, because they don't want to pay the verification tax
• Some may want to hard require it (and this use case actually quickly gets into the use case of "enforce signatures chaining to fsverity digest of composefs" which is what ostree does today; this touches on https://github.com/containers/composefs/issues/294 )

---

Bikeshed: We could just expose this via storage.conf I guess, something like use_composefs = signed | verity | yes | no or so.

[rhatdan]

@giuseppe PTAL

[rhatdan]

@alexlarsson PTAL