CET support and general compiler-based hardening

It would be neat to have Alpine binaries built with CET support by default: it's supported on Intel hardware since Tiger Lake released in 2020 and AMD Zen 3 also released in 2020. CET provides strong control-flow guarantees (~killing ROP) on supported hardware, and is equivalent to a nop on unsupported one.

• Ubuntu has it since 20.04LTS (2020)
• Fedora has it since Fedora 28 (2018)
• Windows has it since Windows 10, version 2004 (November 2020)

While looking at this, I wondered what hardening-related compilation flags Alpine was using by default, and didn't manage to find a single source of truth:

• GOFLAGS="-buildmode=pie is enabled in abuild.conf.
• -stack-protector: enabled by default via a clang patch, but what about gcc?
• -D_FORTIFY_SOURCE=2 is apparently enabled by default as per this commit, but cool kids are using -D_FORTIFY_SOURCE=3 nowadays
  • Arch Linux moved to it in April 2023
• -z relro -z now are apparently enabled by default as per this commit
• -fstack-clash-protection: enabled via abuild@4f7a2aff
  • Fedora is using by default
• -fpie -Wl,-pie and -fpic -shared are enabled by default
• -Werror=format-security is enabled as well
• A decent subset of UBSan like -fsanitize=undefined -fsanitize-minimal-runtime
• libstdc++ related:
  • GLIBCXX_ASSERTIONS: enabled via abuild@44c933da
    • Enabled since January 2023 in gentoo
• -ftrivial-auto-var-init=zero
  • Ubuntu is working on enabling it by default
• libcxx related, added via abuild!221 (merged)
  • _LIBCPP_ENABLE_THREAD_SAFETY_ANNOTATIONS: This macro is used to enable -Wthread-safety annotations on libc++’s std::mutex and std::lock_guard.
  • _LIBCPP_ENABLE_HARDENED_MODE to enable the hardened mode.
    • It's ~enabled in Google Chrome
• -fcf-protection: needs musl support.

It would be great to have the flags and their tradeoffs documented somewhere.