Extended Access mode for Trust Agents

This change adds a mode that changes how trust is used by the
platform. In this mode, a trust agent that reports the device to be in
a trusted state is only able to extend how long the device stays
unlocked (before needing credentials or biometrics), but cannot
actually unlock a locked device.

The change is off by default, and comes with secure settings variables
to control the behavior. This is a temporary convenience for
dogfooding and we expect extended access mode to become the default
for Q.

Bug: 111435975
Test: Tested with SmartLock modules to confirm extend unlock behavior
works as expected.
Change-Id: Ie63a4235f5ad144d4ffb5dd308cc2cef886cb8ef