Add branch protection flags

docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md

@@ -20,6 +20,7 @@ When compiling C or C++ code on compilers such as GCC and clang, turn on these f
 -D_FORTIFY_SOURCE=3 \
 -D_GLIBCXX_ASSERTIONS \
 -fstack-clash-protection -fstack-protector-strong \
+-fcf-protection=full -mbranch-protection=standard \
 -Wl,-z,nodlopen -Wl,-z,noexecstack \
 -Wl,-z,relro -Wl,-z,now \
 -fPIE -pie -fPIC -shared
@@ -126,6 +127,8 @@ Table 2: Recommended compiler options that enable run-time protection mechanisms
 | [`-D_GLIBCXX_ASSERTIONS`](#-D_GLIBCXX_ASSERTIONS)<br>[`-D_LIBCPP_ASSERT`](#-D_LIBCPP_ASSERT) | libstdc++ 6.0<br/>libc++ 3.3.0  | Precondition checks for C++ standard library calls. Can impact performance.                  |
 | [`-fstack-clash-protection`](#-fstack-clash-protection)                                   |       GCC 8<br/>Clang 11.0.0       | Enable run-time checks for variable-size stack allocation validity. Can impact performance.  |
 | [`-fstack-protector-strong`](#-fstack-protector-strong)                                   |     GCC 4.9.0<br/>Clang 5.0.0      | Enable run-time checks for stack-based buffer overflows. Can impact performance.             |
+| [`-fcf-protection=full`](#-fcf-protection=full)                                   |     GCC      <br/>Clang            | Enable branch protection to counter Return Oriented Programming (ROP) and Jump Oriented Programming (JOP)attacks on Intel |
+| [`-mbranch-protection=standard`](#-mbranch-protection-standard)                                   |     GCC      <br/>Clang            | Enable branch protection to counter Return Oriented Programming (ROP) and Jump Oriented Programming (JOP) attacks on AArch64 |
 | [`-Wl,-z,nodlopen`](#-Wl,-z,nodlopen) |           Binutils 2.10            | Restrict `dlopen(3)` calls to shared objects                                 |
 | [`-Wl,-z,noexecstack`](#-Wl,-z,noexecstack)                                               |           Binutils 2.14            | Enable data execution prevention by marking stack memory as non-executable                   |
 | [`-Wl,-z,relro`](#-Wl,-z,relro)<br/>[`-Wl,-z,now`](#-Wl,-z,now)                           |           Binutils 2.15            | Mark relocation table entries resolved at load-time as read-only. `-Wl,-z,now` can impact startup performance.                            |
@@ -378,6 +381,30 @@ The performance overhead is dependent on the number of function’s instrumented
 
 ---
 
+### Implement control flow integrity checks
+
+| Compiler Flag                                                                                            | Supported since  | Description                                                  |
+|:-------------------------------------------------------------------------------------------------------- |:-------------:|:------------------------------------------------------------ |
+| <span id="-fcf-protection=full">`-fcf-protection=full`</span><br/>                                   |     GCC      <br/>Clang            | Enable branch protection to counter Return Oriented Programming (ROP) and Jump Oriented Programming (JOP)attacks on Intel |
+| <span id="-mbranch-protection-standard">`-mbranch-protection=standard`</span>                        |     GCC      <br/>Clang            | Enable branch protection to counter Return Oriented Programming (ROP) and Jump Oriented Programming (JOP) attacks on AArch64 |
+
+#### Synopsis
+
+Return-oriented programming (ROP) uses an initial subversion (such as a buffer overflow) to perform an indirect jump that executes an arbitrary sequence of instructions. A countermeasure is to ensure that jump addresses and return addresses are correct. This is not a complete solution, but it makes attacks harder to perform.
+
+#### Performance implications
+
+There are performance implications but they are typically mild
+due to hardware assistance.
+The `-fcf-protection=full` flag enables Intel's Control-Flow Enforcement Technology (CET) [^IntelCET].
+The `-mbranch-protection=standard` flag invokes similar protections in the AArch64. In clang it is equivalent to `-mbranch-protection=bti+pac-ret` and invokes the AArch64 Branch Target Identification (BTI) and Pointer Authentication using key A (pac-ret) [^Armclang]
+
+[^Armclang]: ARM Developer, [Arm Compiler armclang Reference Guide Version 6.12 -mbranch-protection](https://developer.arm.com/documentation/100067/0612/armclang-Command-line-Options/-mbranch-protection).
+
+[^IntelCET]: Intel, ["A Technical Look at Intel’s Control-flow Enforcement Technology"](https://www.intel.com/content/www/us/en/developer/articles/technical/technical-look-control-flow-enforcement-technology.html), 2020-06-13.
+
+---
+
 ### Restrict dlopen calls to shared objects
 
 | Compiler Flag                                                                                            | Supported since  | Description                                                  |