diff --git a/lib/libomp/Makefile b/lib/libomp/Makefile
--- a/lib/libomp/Makefile
+++ b/lib/libomp/Makefile
@@ -1,4 +1,7 @@
 
+# z_Linux_asm.S is missing BTI support
+MK_BRANCH_PROTECTION=no
+
 .include <bsd.compiler.mk>
 
 SHLIB_NAME=	libomp.so
diff --git a/share/mk/bsd.lib.mk b/share/mk/bsd.lib.mk
--- a/share/mk/bsd.lib.mk
+++ b/share/mk/bsd.lib.mk
@@ -97,6 +97,12 @@
 .endif
 # LLD sensibly defaults to -znoexecstack, so do the same for BFD
 LDFLAGS.bfd+= -Wl,-znoexecstack
+.if ${MK_BRANCH_PROTECTION} != "no"
+CFLAGS+=  -mbranch-protection=standard
+.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR)
+LDFLAGS+= -Wl,-zbti-report=error
+.endif
+.endif
 
 # Initialize stack variables on function entry
 .if ${OPT_INIT_ALL} != "none"
diff --git a/share/mk/bsd.opts.mk b/share/mk/bsd.opts.mk
--- a/share/mk/bsd.opts.mk
+++ b/share/mk/bsd.opts.mk
@@ -74,6 +74,7 @@
 __DEFAULT_NO_OPTIONS = \
     ASAN \
     BIND_NOW \
+    BRANCH_PROTECTION \
     CCACHE_BUILD \
     CTF \
     INSTALL_AS_USER \
@@ -102,6 +103,10 @@
 __DEFAULT_YES_OPTIONS+=PIE
 .endif
 
+.if ${MACHINE_CPUARCH} != "aarch64"
+BROKEN_OPTIONS+=	BRANCH_PROTECTION
+.endif
+
 __SINGLE_OPTIONS = \
    INIT_ALL
 
diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk
--- a/share/mk/bsd.prog.mk
+++ b/share/mk/bsd.prog.mk
@@ -69,6 +69,12 @@
 .endif
 # LLD sensibly defaults to -znoexecstack, so do the same for BFD
 LDFLAGS.bfd+= -Wl,-znoexecstack
+.if ${MK_BRANCH_PROTECTION} != "no"
+CFLAGS+=  -mbranch-protection=standard
+.if ${MACHINE_ARCH} == "aarch64" && defined(BTI_REPORT_ERROR)
+LDFLAGS+= -Wl,-zbti-report=error
+.endif
+.endif
 
 # Initialize stack variables on function entry
 .if ${OPT_INIT_ALL} != "none"
diff --git a/stand/Makefile.inc b/stand/Makefile.inc
--- a/stand/Makefile.inc
+++ b/stand/Makefile.inc
@@ -1,4 +1,7 @@
 
 SUBDIR_PARALLEL=	yes
 
+# Firmware may not be able to handle branch protection failures
+MK_BRANCH_PROTECTION=	no
+
 .include "defs.mk"
diff --git a/tools/build/options/WITHOUT_BRANCH_PROTECTION b/tools/build/options/WITHOUT_BRANCH_PROTECTION
new file mode 100644
--- /dev/null
+++ b/tools/build/options/WITHOUT_BRANCH_PROTECTION
@@ -0,0 +1 @@
+Build with branch protection disabled.
diff --git a/tools/build/options/WITH_BRANCH_PROTECTION b/tools/build/options/WITH_BRANCH_PROTECTION
new file mode 100644
--- /dev/null
+++ b/tools/build/options/WITH_BRANCH_PROTECTION
@@ -0,0 +1,4 @@
+Build with branch protection enabled.
+On arm64 enable the use of pointer authentication and
+branch target identification instructions on arm64.
+These can be used to help mitigate some exploit techniques.