[build] Add annobin build/check support
the annobin check is enabled only if all compiler flags, linker flags
and annocheck binary are available.
the build will use as many of the hardening options required to pass
the annocheck regardless.
the check is performed / enabled only with gcc. clang currently suffers
from some limitations to automatically detect the annobin plugin, that
would increase drastacally the complexity of the build system
unnecessarely.
implementation based on:
- https://bugzilla.redhat.com/show_bug.cgi?id=1961686
- https://developers.redhat.com/blog/2019/02/04/annocheck-examining-the-contents-of-binary-files#
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/developing_c_and_cpp_applications_in_rhel_8/annobin_toolsets
Original idea by Christine Caulfield <ccaulfie@redhat.com>
CentOS Stream CI insists on this but it's generally a 'good thing'
Signed-off-by: Fabio M. Di Nitto <fdinitto@redhat.com>