asm_trampoline.S misses branch protection flags for x86_64 and aarch64

[stratakis]

Bug report

Bug description:

asm_trampoline.S added here 6d791a9 misses the branch protections offered for the latest x86-64 and aarch64 processors.

For C code the compiler takes care of that however for the assembler files the relevant instructions need to be added manually.

This was discovered by running the annobin-annocheck tool on a Fedora machine:

$ annocheck --hardened libpython3.14.so.1.0

Hardened: libpython3.14.so.1.0: FAIL: cf-protection test because no .note.gnu.property section = no control flow information
Hardened: libpython3.14.so.1.0: FAIL: property-note test because a property note was found but it shows that cf-protection is not enabled

Relevant annobin documentation:
x86_64: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
aarch64: https://sourceware.org/annobin/annobin.html/Test-branch-protection.html

CPython versions tested on:

3.12, 3.13, 3.14, CPython main branch

Operating systems tested on:

Linux

Linked PRs

• [DRAFT]gh-128605: Add branch protections for asm_trampoline.S #128606