[build] Work around distros that use -fcf-protection=full by default

Some patched versions of gcc (observed with gcc 9.3.0 on Ubuntu 20.04)
enable -fcf-protection=full by default.  This breaks code that is not
explicitly written to expect the use of this flag.  The breakage
occurs only at runtime if the affected code (such as setjmp()) happens
to execute, and is therefore a particularly pernicious class of bug to
be introduced into working code by a broken compiler.

Work around these broken patched versions of gcc by detecting support
for -fcf-protection and explicitly setting -fcf-protection=none if
found.

If any Ubuntu maintainers are listening: PLEASE STOP DOING THIS.  It's
extremely unhelpful to have to keep working around breakages that you
introduce by modifying the compiler's default behaviour.  Do what Red
Hat does instead: set your preferred CFLAGS within the package build
system rather than by patching the compiler to behave in violation of
its own documentation.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/Makefile.housekeeping

@@ -401,6 +401,16 @@ WORKAROUND_CFLAGS += $(PIE_FLAGS) $(PIE_FLAGS2)
 endif
 endif
 
+# Some widespread patched versions of gcc include -fcf-protection=full
+# by default.
+#
+ifeq ($(CCTYPE),gcc)
+CFP_TEST = $(CC) -fcf-protection=none -x c -c /dev/null -o /dev/null \
+		 >/dev/null 2>&1
+CFP_FLAGS := $(shell $(CFP_TEST) && $(ECHO) '-fcf-protection=none')
+WORKAROUND_CFLAGS += $(CFP_FLAGS)
+endif
+
 ###############################################################################
 #
 # Source file handling