filesystem-deploy action should handle creation of read-only/verity-protected filesystems

[obbardc]

Regular read-write filesystems (e.g. ext4, vfat) are created early with the image-partition action (using mkfs tools) and mounted inside the fakemachine container. The filesystem-deploy action may simply copy the files into the mounted tree and everything works fine.

For read-only filesystems (e.g. squashfs, EROFS) however, this is not the case. The files are generally built up in a temporary directory, then turned into an image using the squashfs tool (e.g. mksquashfs <dir> out.squashfs).

So for these kinds of RO filesystems, we need to:

1. carve out space for the image in the image-partition action (by simply skipping over RO partitions, or by requireing filesystem: none).
2. when the filesystem-deploy action is called, build up each RO partition image using the correct tooling.
3. flash the RO partitions to the image file.
4. mount the RO partitions as per the image-partition action configuration (as read-only) for the remainder of the run.

We also need to be careful with filesystem hierarchy (e.g. nested images).

[obbardc]

The same syntax could be used to create ext2,3,4 read-only images, as well as partitions which have verity hash-tree appended to them.