Add support for key agreement inside a secure element

[gilles-peskine-arm]

This a step of the implementation of the interface for key derivation drivers introduced in #5451. It follows #5484 and #5490. The goal of this issue is to implement the key_agreement_to_key entry point for opaque drivers.

• If an opaque driver has a key_agreement_to_key entry point, then when performing psa_key_derivation_key_agreement, instead of calling the driver's key_agreement entry point, call its key_agreement_to_key entry point. This should leave the psa_crypto_driver_key_derivation_inputs_t in the same state as if psa_key_derivation_input_key had been called on the key created by psa_key_derivation_key_agreement. Note that this does not apply when performing psa_raw_key_agreement: this always invokes the driver's psa_key_agreement entry point.
• If a key derivation operation successfully called key_agreement_to_key, then when aborting it, call the driver's destroy_key entry point on the key object that contains the shared secret.
• Add unit tests to the driver dispatch tests.