BACKPORT: FROMLIST: KVM: arm64: nVHE: Support CONFIG_CFI_CLANG at EL2

The compiler implements kCFI by adding type information (u32) above
every function that might be indirectly called and, whenever a function
pointer is called, injects a read-and-compare of that u32 against the
value corresponding to the expected type. In case of a mismatch, a BRK
instruction gets executed. When the hypervisor triggers such an
exception in nVHE, it panics and triggers and exception return to EL1.

Therefore, teach nvhe_hyp_panic_handler() to detect kCFI errors from the
ESR and report them. If necessary, remind the user that EL2 kCFI is not
affected by CONFIG_CFI_PERMISSIVE.

Pass $(CC_FLAGS_CFI) to the compiler when building the nVHE hyp code.

Use SYM_TYPED_FUNC_START() for __pkvm_init_switch_pgd, as nVHE can't
call it directly and must use a PA function pointer from C (because it
is part of the idmap page), which would trigger a kCFI failure if the
type ID wasn't present.

Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>

Bug: 278010198
Bug: 278749606
Link: https://lore.kernel.org/r/20240510112645.3625702-11-ptosi@google.com


[ptosi@: Modified Android-specific Makefile.nvhe instead of Makefile]
Change-Id: I52f3e8bcd0fd621d37f7fb3ffbaf8260b16d83c5
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>