arch: arm: add compiler flags for PACBTI

arch/arm/core/cortex_m/CMakeLists.txt

@@ -2,6 +2,23 @@
 
 zephyr_library()
 
+if(CONFIG_ARMV8_1_M_PACBTI_STANDARD)
+  zephyr_compile_options(-mbranch-protection=standard)
+elseif(CONFIG_ARMV8_1_M_PACBTI_PACRET)
+  zephyr_compile_options(-mbranch-protection=pac-ret)
+elseif(CONFIG_ARMV8_1_M_PACBTI_PACRET_LEAF)
+  zephyr_compile_options(-mbranch-protection=pac-ret+leaf)
+elseif(CONFIG_ARMV8_1_M_PACBTI_BTI)
+  zephyr_compile_options(-mbranch-protection=bti)
+elseif(CONFIG_ARMV8_1_M_PACBTI_PACRET_BTI)
+  zephyr_compile_options(-mbranch-protection=pac-ret+bti)
+elseif(CONFIG_ARMV8_1_M_PACBTI_PACRET_LEAF_BTI)
+  zephyr_compile_options(-mbranch-protection=pac-ret+leaf+bti)
+elseif(CONFIG_ARMV8_1_M_PACBTI_NONE)
+  #TODO: Enable this after Zephyr SDK updates to GCC version >=14.2
+  # zephyr_compile_options(-mbranch-protection=none)
+endif()
+
 zephyr_library_sources(
   exc_exit.c
   fault.c

arch/arm/core/cortex_m/Kconfig

@@ -1,6 +1,7 @@
 # ARM Cortex-M platform configuration options
 
 # Copyright (c) 2014-2015 Wind River Systems, Inc.
+# Copyright 2025 Arm Limited and/or its affiliates <[email protected]>
 # SPDX-License-Identifier: Apache-2.0
 
 # NOTE: We have the specific core implementations first and outside of the
@@ -298,6 +299,60 @@ config ARMV8_1_M_PMU
 	  This option is enabled when the CPU implements ARMv8-M Performance
 	  Monitoring Unit (PMU).
 
+choice ARMV8_1_M_PACBTI
+	prompt "Pointer Authentication and Branch Target Identification"
+	default ARMV8_1_M_PACBTI_NONE
+	depends on ARMV8_1_M_MAINLINE
+
+config ARMV8_1_M_PACBTI_STANDARD
+	bool "Standard (PACRET + LEAF + BTI)"
+	help
+	  This option instructs the compiler to generate code with all branch protection features
+	  enabled at their standard level.
+
+config ARMV8_1_M_PACBTI_PACRET
+	bool "PACRET only"
+	help
+	  This option instructs the compiler to generate code with return address signing for
+	  all functions that save the return address to memory.
+
+config ARMV8_1_M_PACBTI_PACRET_LEAF
+	bool "PACRET + Leaf"
+	help
+	  This option instructs the compiler to generate code with return address signing for
+	  all functions that save the return address to memory and,
+	  also sign leaf functions even if they do not write the return address to memory.
+
+config ARMV8_1_M_PACBTI_BTI
+	bool "BTI only"
+	help
+	  This option enables Branch Target Identification (BTI), which inserts special landing
+	  pad instructions at valid indirect branch targets. This option does not enable Pointer
+	  Authentication (PAC).
+
+config ARMV8_1_M_PACBTI_PACRET_BTI
+	bool "PACRET + BTI"
+	help
+	  This option instructs the compiler to generate code with return address signing for
+	  all functions that save the return address to memory and,
+	  add landing-pad instructions at the permitted targets of indirect branch instructions
+
+config ARMV8_1_M_PACBTI_PACRET_LEAF_BTI
+	bool "PACRET + Leaf + BTI"
+	help
+	  This option instructs the compiler to generate code with return address signing for
+	  all functions that save the return address to memory and,
+	  also sign leaf functions even if they do not write the return address to memory and,
+	  add landing-pad instructions at the permitted targets of indirect branch instructions
+
+config ARMV8_1_M_PACBTI_NONE
+	bool "None"
+	help
+	This option instructs the compiler to generate code without branch protection or return
+	address signing
+
+endchoice
+
 config ARMV8_M_PMU_EVENTCNT
 	int "Number of event counters in the Performance Monitoring Unit"
 	depends on ARMV8_1_M_PMU