Revert "Disallow UDS-rooted BCC"

This reverts commit 7e6a933d44.

Reason for revert: We now truncate the received BCC in pvmfw, so this restriction is not needed.
Bug: 266172411

Change-Id: I1c294862352a93c74153627ac9a6812e80e90da7
Merged-In: I1c294862352a93c74153627ac9a6812e80e90da7

pvmfw/README.md

@@ -197,20 +197,16 @@ next-stage secret, and a certificate chain, intended for pVM attestation. Note
 that it differs from the `BccHandover` defined by the specification in that its
 `Bcc` field is mandatory (while optional in the original).
 
-Ideally devices that fully implement DICE should provide a certificate rooted at
-the Unique Device Secret (UDS) in a boot stage preceding the pvmfw loader
-(typically ABL), in such a way that it would receive a valid `BccHandover`, that
-can be passed to [`BccHandoverMainFlow`][BccHandoverMainFlow] along with the
-inputs described below.
+Devices that fully implement DICE should provide a certificate rooted at the
+Unique Device Secret (UDS) in a boot stage preceding the pvmfw loader (typically
+ABL), in such a way that it would receive a valid `BccHandover`, that can be
+passed to [`BccHandoverMainFlow`][BccHandoverMainFlow] along with the inputs
+described below.
 
-However, there is a limitation in Android 14 that means that a UDS-rooted DICE
-chain must not be used for pvmfw. A non-UDS rooted DICE chain is recommended for
-Android 14.
-
-As an intermediate step towards supporting DICE throughout the software stack of
-the device, incomplete implementations may root the BCC at the pvmfw loader,
-using an arbitrary constant as initial CDI. The pvmfw loader can easily do so
-by:
+Otherwise, as an intermediate step towards supporting DICE throughout the
+software stack of the device, incomplete implementations may root the BCC at the
+pvmfw loader, using an arbitrary constant as initial CDI. The pvmfw loader can
+easily do so by:
 
 1. Building a BCC-less `BccHandover` using CBOR operations
    ([example][Trusty-BCC]) and containing the constant CDIs