Fix backend selection logic
In some cases the backend selection was not working properly:
- Key derivation, wrapped key import: the backend compatibility was not
checked at all. This resulted in a possibility of saving an exportable
key in TZ backend which normally is not allowed.
- Encrypted initial values could have been imported to incompatible SW
backend if the TZ backend fails to initialize or the SW backend is
forced.
The Decider API was also unclear and different policies were in force
depending on the usecase.
This commit introduces following changes:
* Keep the policy in a single place.
* Return a prioritized list of backends compatible with given use case.
* Add backend check to key derivation and wrapped key import.
* Do not assume SW backend is suitable for all cases.
* Handle illegal cases by returning empty list of compatible backends.
Change-Id: I2d5dbbb3c4ba9385ac756eb419f95ac877cdd532