ANDROID: KVM: arm64: Move pKVM host deprivilege to device_initcall

In preparation for early loading of pKVM modules (i.e. before
deprivilege), move the pKVM finalization in device_initcall. This is
needed as modules are found in the initramfs whom unpack starts in the
previous initcall.

A deprivilege failure now ends-up in erasing the PVM firmware and simply
prevent loading of any protected VM.

As an interesting side effect, it also allows us to mark the module
loading functions as __init.  Those functions will then be erased once
the init is complete, reducing the attack surface.

Bug: 254835242
Change-Id: Ifab4b9167b8924222bc8b6c2a0af529a3f8540c0
Signed-off-by: Vincent Donnefort <vdonnefort@google.com>