[lld] [llvm] [LLD][COFF] Add more variety of CET and hotpatch flags (PR #150761)

[via llvm-commits]

kkent030315 wrote:

> While I am not familiar with these options, I have the impression a lot more is required to support these CET and hotpatching features in the linker, not just emitting the right flags in the binary. I have the feeling we can't just blindly emit these flags if the feature is not there, can we? I'd be fine to support the `/flag:no` variants for completness, but we cannot give our users the false impression these features are supported when they are not. @sivadeilra @dpaoliello Are you able please to give more insight on this, and/or to assert this PR is indeed in line (or not) with what `link.exe` does?

Let me clarify that all of these options (including the `/cetcompat`) are just flags that are being read by the Windows loader and used by the Windows kernel to handle the real CET behavior in the kernel. Nothing needs to be performed on the linker other than adding those flags. (You can bindiff with and without those flags using MSVC toolchain)

Here is the snippet of the `link.exe` code that handles those flags. `*((_DWORD *)v5 + 986)` is where the extended DLL characheristics flag will be stored.
<img width="660" height="675" alt="image" src="https://github.com/user-attachments/assets/4f1732df-c663-47d6-a13f-94598ddc19c6" />

Another look here:
>  Generally, code changes are not needed and the only modification to the binary is [a bit in the PE header](https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format#extended-dll-characteristics).
https://techcommunity.microsoft.com/blog/windowsosplatform/developer-guidance-for-hardware-enforced-stack-protection/2163340

The flags being added in this PR is to control `/cetcompat` behavior.

https://github.com/llvm/llvm-project/pull/150761