Provide alternate SE RoT provisioning path.

On some devices it is infeasible to provision the KeyMint RoT bits in
the Android Bootloader.  This provides an alternate path to provision
them from the TEE during early boot.

Bug: 219076736
Test: VtsAidlKeyMintTargetTest
Change-Id: Ibae9050b9a102dad3710f9495d3dfa43fa1d1b3f
Merged-In: Ibae9050b9a102dad3710f9495d3dfa43fa1d1b3f