ANDROID: KVM: arm64: iommu: Erase pvmfw from EL1 if possible

Kernel IOMMU drivers can report system misconfiguration through
pkvm_iommu_finalize().
Then EL2 can take the proper response, for example if there are missing
IOMMUs, and DMA isolation can't be ensured, it would clear pvmfw so
PVMs can't be launched.
However, this is not clean as userspace can still query pvmfw info
and launch PVMs that loops in undefined instruction aborts as pvmfw
is cleared.
To fix this, before deprivilege, the kernel will erase pvmfw if the
IOMMUs are not finalised.

Bug: 268607700
Test: Launch PVM with missing S2MPU => Fail immediately with -8
Test: Launch PVM with all S2MPU => Pass
Change-Id: I9fd2440805f6b2f2ad4395ce61df5b272ed84fef
Signed-off-by: Mostafa Saleh <smostafa@google.com>
(cherry picked from commit 01ec18c5)