enable Intel CET

[Andarwinux]

Description of the new feature/enhancement

Compile Windows Terminal with /guard:ehcont and link with /guard:ehcont /cetcompat

Proposed technical implementation details (optional)

[lhecker]

These flags are used by default for other system binaries (including inbox conhost). It may be worth checking how much these flags cost us in performance and/or binary size and to enable them.

[DHowett]

For what it's worth, we're building with the security configuration baseline established by Windows Undocked. The build system we're using enforces that baseline and does not seem to be signaling us as out-of-compliance.

[Andarwinux]

I can't test ehcont, but cetcompat seems to be fine, I forced hardware-enforced stack protection for Windows Terminal via WD on tigerlake and znver4 and didn't notice any performance impact.