nss: use optimized ARM64 crypto on Mac

[larseggert]

By providing the correct flag overrides. Should speed up some crypto operations considerably.

CC @dennisjackson @martinthomson

• Have you followed the guidelines for contributing?
• Have you ensured that your commits follow the commit style guide?
• Have you checked that there aren't other open pull requests for the same formula update/change?
• Have you built your formula locally with HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>, where <formula> is the name of the formula you're submitting?
• Is your test running fine brew test <formula>, where <formula> is the name of the formula you're submitting?
• Does your build pass brew audit --strict <formula> (after doing HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>)? If this is a new formula, does it pass brew audit --new <formula>?

---

[Copilot]

Pull Request Overview

This PR enables optimized ARM64 cryptography operations for the nss formula on Mac by providing correct compiler flags. Previously, ARM64 optimization was disabled with a workaround comment indicating compilation failures, but this change removes that limitation and configures the build system to properly use ARM64 crypto instructions.

• Removes conditional runtime CPU detection that excluded ARM64 Macs
• Adds architecture-specific compiler flags for ARM64 builds via Darwin.mk configuration
• Increments formula revision to force rebuild with new optimizations

[p-linnane]

Why isn't upstream setting this themselves?

[larseggert]

Upstream is building using build.sh, i.e., gyp and not make. The Makefiles are basically legacy and just used by RedHat AFAIK.

[carlocab]

Is this based on a patch that's already been merged on your Phabricator? If not, we'd prefer that this be fixed there first (or, at least, concurrently, with a reference to the upstream fix here in the inreplace).

[carlocab]

Also, can we not just override CPU_ARCH when calling make, given that the Makefile only seems to set this behind an ifndef?

[larseggert]

Is this based on a patch that's already been merged on your Phabricator? If not, we'd prefer that this be fixed there first (or, at least, concurrently, with a reference to the upstream fix here in the inreplace).

It's not, and since we don't build NSS with make, we wouldn't be able to test this change there. CC'ing @jschanck @dennisjackson @mozkeeler to check is this is something they think should be done.

Also, can we not just override CPU_ARCH when calling make, given that the Makefile only seems to set this behind an ifndef?

That seems to leave the -arch ppc flags in place, but the compile also succeeds. I mostly went the inreplace way since it shadows how it's done for other architectures. (Again, since we don't build with make, I have no real deep insight into what's best here.)

[mozkeeler]

I think this is a change we should just make in-tree. Our infra does build/test using make, but interestingly not on macOS, which is probably something we should change as well.

[larseggert]

Glad I CC'ed @mozkeeler; learned something :-) OK, so let's make that change in-tree, and I will revisit this PR when it's landed in a release.