Add PlatformKeyManager helper for RecoverableKeyStoreLoader

Manages generating the platform key and then loading it into AndroidKeyStore
with different permissions for 'decrypt' and 'encrypt'. Encrypt should be always
available, so as to enable us to generate application keys at any time, and be
able to sync them wrapped with the platform key to disk. Decrypt should only be
available shortly after a screen unlock - i.e., so that we can unwrap the keys
persisted to disk, then rewrap them with the recovery key and sync them to the
remote storage.

Test: adb shell am instrument -w -e package com.android.server.locksettings.recoverablekeystore com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Change-Id: I7575ea1c3c78d5544ef763324ac47dffb3993b55