New API for query trust of a fs-verity certificate

The corresponding service is also added.

The API can be used by a store to know whether their certificate is
trusted on the device. As optimization, they only need to download
.fsv_sig signature file if it will be used.

The API can also be used to gradually switch to stronger key. The store
can query with their certificates in priority order and download the best
signature.

Test: Passed new GTS working in progress
Bug: 142573505
Change-Id: Ic788cd04aeaed35ad62113fe9e7535b8fa63b5ee

services/java/com/android/server/SystemServer.java

@@ -145,6 +145,7 @@ import com.android.server.recoverysystem.RecoverySystemService;
 import com.android.server.restrictions.RestrictionsManagerService;
 import com.android.server.role.RoleManagerService;
 import com.android.server.rollback.RollbackManagerService;
+import com.android.server.security.FileIntegrityService;
 import com.android.server.security.KeyAttestationApplicationIdProviderService;
 import com.android.server.security.KeyChainSystemService;
 import com.android.server.signedconfig.SignedConfigService;
@@ -672,6 +673,13 @@ public final class SystemServer {
         AppCompatCallbacks.install(new long[0]);
         t.traceEnd();
 
+        // FileIntegrityService responds to requests from apps and the system. It needs to run after
+        // the source (i.e. keystore) is ready, and before the apps (or the first customer in the
+        // system) run.
+        t.traceBegin("StartFileIntegrityService");
+        mSystemServiceManager.startService(FileIntegrityService.class);
+        t.traceEnd();
+
         // Wait for installd to finish starting up so that it has a chance to
         // create critical directories such as /data/user with the appropriate
         // permissions.  We need this to complete before we initialize other services.