Make it possible to disable verification.

Introduce a new AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED flag
which can be set in the top-level vbmeta struct. Also add {get,
enable, disable}-verification sub-commands to avbctl to read/write
this flag.

This flag acts much in the same way as the HASTREE_DISABLED flag
insofar that it's usually unset on images so setting it on a slot
means that the slot will only work in UNLOCKED mode (because the
signature on the top-level vbmeta struct will no longer verify).

If this flag is set, then

 - only the top-level vbmeta struct is read; and

 - descriptors are not processed; and

 - all requested partitions are loaded without verification; and

 - the |cmdline| field in the returned AvbSlotVerifyData object
   will be set to "root=PARTUUID=$(ANDROID_SYSTEM_PARTUUID)"
   and the GUID substitutions are performed. No androidboot.*
   options are set in the returned command-line.

In effect this should allow booting the OS in the slot without any
modifications to the bootloader as if verified boot is not in use at
all. This is useful in some use-cases for example if using a
system.img image without any verification metadata at all.

Test: New unit tests + all unit tests pass.
Test: Manually tested on UEIF-based boot loader.
Bug: 62523303
Change-Id: Ib85539433c39691e407009dc8d66d94dc3ec5b09

Android.bp

@@ -114,6 +114,7 @@ cc_library_static {
         "libavb_ab/avb_ab_flow.c",
         "libavb_user/avb_ops_user.c",
         "libavb_user/avb_user_verity.c",
+        "libavb_user/avb_user_verification.c",
     ],
 }