Consider `-Wl,-z,separate-code` for C and C++ Compiler Hardening Guide

[thomasnyman]

Splitting this off from Dominik Czarnota's extensive feedback in #330.

The -Wl,-z,separate-code option ensures that the ELF header is not mapped with executable rights. This is effectively a complement to RELRO but instead of applying read-only permissions to sensitive parts of the data segment, it applies read-only permissions to potentially dangerous areas of the code segment.

Resources:

• https://bitlackeys.org/papers/secure_code_partitioning_2018.txt

[thesamesam]

Some notes:

• This is enabled by default since it was added to GNU Binutils in f6aec96dce1ddbd8961a3aa8a2925db2021719bb (binutils-2.31)
• Distributors may configure with --disable-separate-code when building Binutils which will change that behaviour
• The approach doesn't have complete consensus, see e.g. https://maskray.me/blog/2023-12-17-exploring-the-section-layout-in-linker-output#z-separate-loadable-segments from @maskray.
• Nick Clifton, the chief Binutils maintainer, is working on --rosegment which is in binutils-2.43. See https://sourceware.org/PR30907 too.
• There's a balance between larger binaries and the (debatable) security benefit of at least -Wl,-z,separate-code. I haven't read enough about rosegment yet.