modules: tfm: make BL2 header in non-secure image configurable

When we build Zephyr for a Non-Secure image, using TFM
as the Secure counterpart, we may or may not use BL2 (e.g.
MCUboot in TFM). If we build with BL2 we need to account
for a ROM offset before the start of the non-secure image
where TFM BL2 expects the BL2 header. This offset is not
needed when TFM is built without BL2. We use the existing
Kconfig options to determine whether we need a ROM offset
or not. We use the value of 0x400 for the BL2 header,
which is the default value used in TFM, but the option is
non-hidden, allowing the user to overwrite the default
value if needed.

Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>