cmake: Allow selection of libc API overflow detection mode

This adds a choice of three different libc API buffer overflow detection
modes:

 * None
 * Compile-time
 * Compile-time and Run-time

These correspond with the clang/gcc _FORTIFY_SOURCE modes (0/1/2).
_FORTIFY_SOURCE depends on compiler optimizations and require libc support
which the minimal C library doesn't include, so _FORTIFY_SOURCE is disabled
by default in those cases. Native tooling might also enable
_FORTIFY_SOURCE, so don't enable it by default in that case either.

Signed-off-by: Keith Packard <keithp@keithp.com>