Implement fsverity functionality

Implement calls to the fsverity kernel module, allowing containerd to
enable fsverity on blob data in the content store. This causes fsverity
to veirfy the integrity of blob data when the blob is read.

Signed-off-by: James Jenkins <James.Jenkins@ibm.com>

plugins/content/local/store.go

@@ -29,6 +29,7 @@ import (
 
 	"github.com/containerd/containerd/v2/core/content"
 	"github.com/containerd/containerd/v2/pkg/filters"
+	"github.com/containerd/containerd/v2/pkg/fsverity"
 	"github.com/containerd/errdefs"
 	"github.com/containerd/log"
 
@@ -62,8 +63,9 @@ type LabelStore interface {
 // Store can generally support multi-reader, single-writer ingest of data,
 // including resumable ingest.
 type store struct {
-	root string
-	ls   LabelStore
+	root               string
+	ls                 LabelStore
+	integritySupported bool
 }
 
 // NewStore returns a local content store
@@ -81,9 +83,12 @@ func NewLabeledStore(root string, ls LabelStore) (content.Store, error) {
 		return nil, err
 	}
 
+	supported, _ := fsverity.IsSupported(root)
+
 	return &store{
-		root: root,
-		ls:   ls,
+		root:               root,
+		ls:                 ls,
+		integritySupported: supported,
 	}, nil
 }