Hardening: add -mbranch-protection=standard for arm64 that support it.

e.g. raspberry pi 5, aws ec2 graviton2 and higher, etc.

This does the same as -fcf-protection on x64 (well, those that support it).

configure

@@ -4975,7 +4975,7 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
-  # Control Flow Enforcement (ROP hardening) - requires CPU hardware support
+  # Control Flow Enforcement (ROP hardening) - requires CPU hardware support (x64)
   ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
 ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -5030,6 +5030,61 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 
+  # Similar to above but for arm64
+  ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mbranch-protection=standard" >&5
+printf %s "checking whether C compiler accepts -mbranch-protection=standard... " >&6; }
+if test ${ax_cv_check_cflags__Werror___mbranch_protection_standard+y}
+then :
+  printf %s "(cached) " >&6
+else case e in #(
+  e)
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS -Werror  -mbranch-protection=standard"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main (void)
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"
+then :
+  ax_cv_check_cflags__Werror___mbranch_protection_standard=yes
+else case e in #(
+  e) ax_cv_check_cflags__Werror___mbranch_protection_standard=no ;;
+esac
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags ;;
+esac
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags__Werror___mbranch_protection_standard" >&5
+printf "%s\n" "$ax_cv_check_cflags__Werror___mbranch_protection_standard" >&6; }
+if test x"$ax_cv_check_cflags__Werror___mbranch_protection_standard" = xyes
+then :
+  HARDEN_CFLAGS="$HARDEN_CFLAGS -mbranch-protection=standard"
+else case e in #(
+  e) : ;;
+esac
+fi
+
+  ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
   # Since we have moved from name[1] to name[], setting this should help bounds checking:
   ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'

configure.ac

@@ -144,9 +144,12 @@ AS_IF([test x"$hardening" != x"no"], [
   # Added in UnrealIRCd 5.0.5 (default on Ubuntu 19.10)
   check_cc_flag([-fstack-clash-protection], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fstack-clash-protection"])
 
-  # Control Flow Enforcement (ROP hardening) - requires CPU hardware support
+  # Control Flow Enforcement (ROP hardening) - requires CPU hardware support (x64)
   check_cc_flag([-fcf-protection], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fcf-protection"])
 
+  # Similar to above but for arm64
+  check_cc_flag([-mbranch-protection=standard], [HARDEN_CFLAGS="$HARDEN_CFLAGS -mbranch-protection=standard"])
+
   # Since we have moved from name[1] to name[], setting this should help bounds checking:
   check_cc_flag([-fstrict-flex-arrays=3], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fstrict-flex-arrays=3"])