tps: make is_upgraded() require a single upgraded keyslot

In tails/tails#19728 users experience timeouts upgrading the
persistent storage, preventing them from unlocking it and blocking
login for 4 minutes. Actually the upgrade finishes (in the background)
but is_upgraded() still fails next boot and triggers an upgrade (that
will timeout). It seems related to having multiple keyslots, some
corrupted (or similar) in such a way that `cryptsetup luksConvertKey`
fails upgrading them ("Digest 0 (pbkdf2) verify failed with -1"), and
one of the corrupted keys being listed last by `cryptsetup luksDump`.

Those keys are luks1 and use pbkdf2, so is_upgraded() would return
False since it requires argon2id. In order to allow users with this
problem to unlock their persistent storage we make is_upgraded()
require require a single upgraded keyslot. This is not great as it
means the other keyslots can be weak, but this change doesn't make
anything worse, it only allows users to access their data again. More
work will be needed to properly address all this.