This commit reworks the "storage-safety" value in the model assertion
so that the new values are:
"encrypted|prefer-encrpyted|prefer-unencrypted"
This makes it clearer what the meaning of each option is.
This commit implements the new "storage-safety" header for the
model assertion. This header controls the encryption handling
for the given model and grade. Valid values for the storage-safety
header are "optional" and "encrypted". Note that the the
combination of "model: secured" and "storage-safety: optional"
is an error.
In addition to the assertion change this will need work on the
devicemanager to honor the settings and there will be a new
option for the gadget.yaml:
```
storage-safety-default: encrypted|unencrypted
```
Based on this default the recovery-chooser will offer defaults
about installing the device encrypted or unencrypted.
this splits the handling of essential and not essential model snaps
by having model.EssentialSnaps and model.SnapsWithoutEssential
instead of AllSnaps
notice that the order of snaps is still relevant in seedwriter and
seed, but is now managed more explicitly:
* system snap first (if implicit)
* essential snaps (in the EssentialSnaps order)
* not essential snaps (in SnapsWithoutEssential order)
use it to infer well-known bases or snapd snap-id when dealing with
seeds
require the base to have an entry in the "snaps" stanza if not
well-known and model is not dangerous
* go back to the "pinned track" terminology now that is stricly for
Core 18
* make it the seed policy responsibility to decide what to use
as default channel if nothing is otherwise specified, for now
keep Core 16/18 using the latest/or default track at image build
time
Grade can be secured|signed|dangerous. For Core 16/18 models we report grade as 'unset'.
With grade dangerous snap ids are optional in the "snaps" stanza entries.
