Signed xattrs

[jcnelson]

Currently, there is no end-to-end authentication on xattr names and values. A compromised MS could equivocate between gateways about them. Include a per-attribute signature, so even getxattr() can verify the authenticity of the name and value.

[jcnelson]

While we're at it, we should think of a way to ensure that the MS can't reply stale signed xattrs undetected.

[jcnelson]

This will be addressed in the following way:

• gateways sign each metadata entry the replicate to the MS (i.e. the MS is no longer a trusted source of metadata; only a publicly-routable cache for metadata from a volume's coordinators).
• coordinators always host the set of xattrs
• coordinators replicate the (signed) hash of the xattrs alongside the (signed) xattr_nonce
• the xattr_nonce becomes a monotonically-increasing version number, which reader gateways cache locally
• other gateways send SETXATTR and REMOVEXATTR messages to the coordinator, which then generates and uploads a new hash and new signed metadata entry

[jcnelson]

This is possibly fixed in my local tree.

[jcnelson]

Fixed in master.