Yet another try for fs-verity

The documentation covers why the Merkle tree isn't stored in xattrs on ext4 and f2fs. Independently of that, in theory the API *could* use xattrs instead of ioctls, e.g. FS_IOC_ENABLE_VERITY could be replaced with setxattr("system.fsverity", &fsverity_enable_arg), and FS_IOC_MEASURE_VERITY replaced with getxattr("system.fsverity"). However, abusing the xattr interface for basically arbitrary syscalls is heavily frowned upon by most of the Linux filesystem developers. An xattr should really just be an xattr on-disk, not an API to e.g. magically trigger construction of a Merkle tree.

We're still planning to expose the verity bit through FS_IOC_GETFLAGS and possibly statx() too, just like the encrypt bit. So detecting verity files will still be straightforward; you don't need xattrs for this.

We aren't using the existing "immutable" bit because it already has specific semantics that include much more than just file contents immutability, e.g. it also prevents the file from being deleted, renamed, linked to, or have its owner or mode changed. So reusing the immutable bit to mean "fs-verity enabled" would not be appropriate.