Please add -mbranch-protection=standard to default arm64 build flags

arm64 code reuse mitigation was introduced to the Ubuntu Archive with dpkg 1.22.0ubuntu1 [0][1][2].

> Pointer Authentication and Branch Target Identification are
> significant new security features in ARMv8.3 and ARMv8.5 respectively
> arm64 hardware. They are present in new (debian-relevant) hardware,
> starting with the Graviton 3. It is both straightforward and
> reasonably safe to enable these features by default now so that they
> can be reasonably well-tested in time for Bookworm. There is a kernel
> option to turn them off at runtime should hardware be found where this
> is a problem, and of course a compiler option to disable them at build
> time. They are important security enhancements, with a very small
> overhead, which can only work if enabled at build-time, so adding
> -mbranch-protection=standard to the default build options seems like
> the right thing to do. [3]

In 2019 using glibc, Arm measured the use of the `pac` option alone to reduce available ROP and JOP gadgets by ~60%. `bti` reduced these gadgets to ~95%. `bti+pac` resulted in a ~98% decrease [4].

`-mbranch-protection=standard` enables both BTI and PAC. It is the current arm64 default for the Ubuntu Archive [0], Debian [2], and Fedora [5].

gcc should have security hardening flag parity with dpkg. Ubuntu Security wants secure defaults for users. This is a philosophical difference from Debian [6]. Ubuntu Security wants compiler hardening applied to random things users download, build, and run, and to snaps, flatpaks, appimages, pip wheels, etc. We want software built on Ubuntu to use safe defaults.

As an example, Xonotic is a video game with arm64 builds on the snap store. C based snaps are built with gcc, and dpkg-buildflags are not applied. As a multiplayer game users process untrusted input. If a remote exploit is discovered, instead of a seg fault, attackers might be able to run RCE on arm64 victims, since they are freely allowed to build ROP chains. Kubernetes, etcd, and many critical pieces of server software are also distributed though snaps. Applying security hardening flags to gcc will protect Ubuntu users and the wider community.

Please add `-mbranch-protection` to the default compiler flags of gcc-13 in Ubuntu 24.04 [7].

[0] https://launchpad.net/ubuntu/+source/dpkg/1.22.0ubuntu1
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021292
[2] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=8f5aca71c1435c9913d5562b8cae68b751dff663
[3] https://lists.debian.org/debian-dpkg/2022/05/msg00022.html
[4] https://community.arm.com/arm-community-blogs/b/tools-software-ides-blog/posts/code-reuse-attacks-the-compiler-story
[5] https://fedoraproject.org/wiki/Changes/Aarch64_PointerAuthentication
[6] https://lists.debian.org/debian-dpkg/2022/06/msg00000.html
[7] https://wiki.ubuntu.com/ToolChain/CompilerFlags