guix: Pointer Authentication and Branch Target Identification for aarch64 Linux

Arm Pointer Authentication (PAC) is a method of hardening code from Return Oriented Programming (ROP) attacks. It uses a tag in a pointer to sign and verify pointers. Branch Target Identification (BTI) is another code hardening method, where the branch/jump target is identified with a special landing pad instruction. Outside of some system support in glibc+kernel, packages gain the additional hardening by compiling with the -mbranch-protection=flag available in recent versions of GCC. In particular -mbranch-protection=standard enables both BTI and PAC, with backwards compatible to armv8.0 code sequences that activate on v8.3 (PAC) & v8.5 (BTI) enabled Arm machines. (taken from Fedora).

Creation of a BTI enabled binary also requires that everything being linked in be BTI enabled. This means you currently cannot, for example, cross-compile using a Ubuntu based aarch64 toolchain, if you're wanting to use this feature. This can be shown using -Wl,z,force-bti, which will emit warnings for linked objects that are not BTI enabled (this is used in configure to detect when to disable using the flags). i.e:

int main() { return 0; }

# aarch64-linux-gnu-g++ (Ubuntu 13.2.0-23ubuntu4) 13.2.0
aarch64-linux-gnu-g++ test.cpp -mbranch-protection=standard -Wl,-z,force-bti
/usr/lib/gcc-cross/aarch64-linux-gnu/13/../../../../aarch64-linux-gnu/bin/ld: /usr/lib/gcc-cross/aarch64-linux-gnu/13/../../../../aarch64-linux-gnu/lib/../lib/Scrt1.o: warning: BTI turned on by -z force-bti when all inputs do not have BTI in NOTE section.

Closes #19075.