trusty: Add pKVM dma-buf heap module

This patch introduces a standalone pKVM dma-buf heap module,
serving as an example of how to use pKVM vendor hypercalls to
protect/unprotect at stage-2.

The module consists of:
* EL1 driver: a modified system heap that issues pKVM vendor hypercalls
  to protect pages upon allocation and unprotect them upon release. It
  also exposes a device which is used to enable custom SMC forwarding.
* EL2 module: handles stage-2 permission transitions and implements an
  SMC handler for guests to accept protected buffers.
* Build integration: adds bazel build rules (ddk_module, ddk_library)
  integrating the module into main-kernel-build-2025,
  main-kernel-build-2026, and mainline.

Note that the pKVM module is not built for mainline kernels.

Based on aosp/3876668 by qperret@

Bug: 481446462
Test: tools/bazel run \
  -- common-modules/trusty/build/main-kernel-build-2025:trusty_aarch64_dist \
  --destdir out/trusty_aarch64_dist-2025
Test: tools/bazel run \
  -- common-modules/trusty/build/main-kernel-build-2026:trusty_aarch64_dist \
  --destdir out/trusty_aarch64_dist-2026
Test: tools/bazel run \
  -- common-modules/trusty/build/mainline:trusty_aarch64_dist \
  --destdir out/trusty_aarch64_dist-mainline
Change-Id: I1e3076cc2d4875f8524b7ad9daebe8891d830391
Co-developed-by: Quentin Perret <qperret@google.com>
Signed-off-by: Per Larsen <perlarsen@google.com>