tpmr: Set flags properly on sealed file

Set flags 'fixedtpm|fixedparent|adminwithpolicy'.  Plain password auth
is no longer allowed.  For objects sealed with a password, the password
is part of the auth policy, so both PCRs and password must be satisfied
to unseal.

Tested by manually attempting to unseal disk unlock key with password:
    tpm2 unseal -c 0x81000003 -p "<password>"

This now correctly returns an error indicating this auth method is not
allowed.

Relative to the documented default flags for tpm2_create:

* sign, decrypt: Not applicable to a sealed object, tpm2_create
  automatically removed these from the defaults.
* fixedtpm, fixedparent: Kept
* sensitivedataorigin: Not applicable an object where the sensitive
  data is not generated by the TPM.
* userwithauth: Removed this, "user" actions must satisfy auth policy.
* adminwithpolicy: Added this, "admin" actions must satisfy auth
  policy.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>

initrd/bin/tpmr

@@ -193,17 +193,15 @@ tpm2_sealfile() {
 	# (The default is to allow either policy auth _or_ password auth.  In
 	# this case the policy includes the password, and we don't want to allow
 	# the password on its own.)
-	# TODO: Check the other default attributes, do we want them?
 	# TODO: Providing the password directly limits it to the size of the
 	# largest hash supported by the TPM (at least 32 chars for sha256)
-	# TODO: The attributes aren't working yet, rejected with 'inconsistent attributes'
-	#	-a 'sign|decrypt|fixedtpm|fixedparent|sensitivedataorigin|adminwithpolicy'
 	tpm2 create -Q -C "/tmp/$PRIMARY_HANDLE_FILE" \
 		-i "$file" \
 		-u "$SECRET_DIR/$bname.priv" \
 		-r "$SECRET_DIR/$bname.pub" \
 		-L "$AUTH_POLICY" \
 		-S "/tmp/$DEC_SESSION_FILE" \
+		-a "fixedtpm|fixedparent|adminwithpolicy" \
 		"${CREATE_PASS_ARGS[@]}"
 
 	tpm2 load -Q -C "/tmp/$PRIMARY_HANDLE_FILE" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -c "$SECRET_DIR/$bname.seal.ctx"