firefox: drop nss and nspr recipes, cleanup

- add "--disable-sandbox" config to arm arch - this somehow disappeared
during history squashing
- remove vendored nss and nspr recipes, and make Firefox's vendored
nss work with ARM CPUs without crypto engine
- CI: clone meta-firefox-test repo with direct url, otherwise it would
point to a non-existing repo when using variables
- CI: set a new FF specific runner name
- CI: remove the environment from the config, it is not that useful with
matrix strategy, nor with running it in a separate repo

Author: OldManYellsAtCloud

.github/workflows/yocto_matrix.yml

@@ -23,12 +23,11 @@ jobs:
         exclude:
           - yocto_version: kirkstone
             arch: riscv
-    runs-on: [self-hosted, desktop]
+    runs-on: [self-hosted, firefox]
     container:
       image: skandigraun/yocto:latest
       volumes:
         - yocto:/yocto
-    environment: ff-build-env
     steps:
       - run: |
          mkdir -p /yocto/${{ matrix.yocto_version }}
@@ -37,10 +36,10 @@ jobs:
          git clone $GITHUB_SERVER_URL/$GITHUB_REPOSITORY
          git -C meta-browser checkout $GITHUB_HEAD_REF
          # clone the test repo
-         git clone $GITHUB_SERVER_URL/$GITHUB_REPOSITORY_OWNER/meta-firefox-test
+         git clone https://github.com/OldManYellsAtCloud/meta-firefox-test.git
          ./meta-firefox-test/scripts/build.sh ${{ matrix.yocto_version}} ${{ matrix.arch }} ${{ matrix.ff_version }} ${{ matrix.libc_flavour}}
   test:
-    runs-on: [self-hosted, desktop]
+    runs-on: [self-hosted, firefox]
     needs: build
     strategy:
       matrix:

meta-firefox/classes/mozilla.bbclass

@@ -8,9 +8,9 @@ EXTRA_OECONF = "--target=${TARGET_SYS} --host=${BUILD_SYS} \
                 --prefix=${prefix} \
                 --libdir=${libdir}"
 
-EXTRA_OECONF:append:arm = " --disable-elf-hack"
-EXTRA_OECONF:append:x86 = " --disable-elf-hack"
-EXTRA_OECONF:append:x86-64 = " --disable-elf-hack"
+EXTRA_OECONF:append:arm = " --disable-sandbox --disable-elf-hack "
+EXTRA_OECONF:append:aarch64 = " --disable-elf-hack "
+EXTRA_OECONF:append:x86-64 = " --disable-elf-hack "
 
 EXTRA_OECONF:append:libc-musl = " --disable-jemalloc "
 EXTRA_OECONF:append:libc-musl:x86-64 = " --disable-sandbox "

meta-firefox/recipes-browser/firefox/firefox.inc

@@ -10,13 +10,11 @@ DEPENDS:x86:append = " nasm-native "
 RDEPENDS:${PN} = "libva libpci"
 RDEPENDS:${PN}-dev = "dbus"
 
-# Use system's nss in case the CPU has no native crypto support (e.g. armv7)
-# On dunfell and kirkstone use the vendored version, as they contain too old version.
-# This is only for ARM arch: Firefox's nss explicitly includes code using hw-crypto support for this arch.
-ARM_AND_NO_HW_CRYPTO = "${@ True if 'crypto' not in d.getVar('TUNE_FEATURES') and \
+# Disable hw crypto support in freebl/nss in case the CPU has no native crypto support (e.g. armv7)
+EXTRA_OECONF:append = "${@ ' --nss-disable-arm-crypto=1 ' if 'crypto' not in d.getVar('TUNE_FEATURES') and \
                         ( 'arm' in d.getVar('TARGET_ARCH') or \
                           'aarch64' in d.getVar('TARGET_ARCH') \
-                        ) else False }"
+                        ) else '' }"
 
 LICENSE = "MPL-2.0"
 
@@ -49,6 +47,7 @@ SRC_URI += "https://ftp.mozilla.org/pub/firefox/releases/${PV}/source/firefox-${
            file://0004-Fix-compiling-with-enable-openmax-config.patch \
            file://0001-rust-don-t-abort-on-panic.patch \
            file://0001-add-musl-support.patch \
+           file://0001-Add-option-to-disable-arm-hw-crypto-engine.patch \
            file://debian-hacks/Add-another-preferences-directory-for-applications-p.patch \
            file://debian-hacks/Avoid-using-vmrs-vmsr-on-armel.patch \
            file://debian-hacks/Avoid-wrong-sessionstore-data-to-keep-windows-out-of.patch \
@@ -137,8 +136,6 @@ PACKAGECONFIG ??= "${@bb.utils.contains("DISTRO_FEATURES", "alsa", "alsa", "", d
                    rust-simd \
 "
 
-PACKAGECONFIG:append = "${@ ' system-nss system-nspr ' if ${ARM_AND_NO_HW_CRYPTO} else '' }"
-
 PACKAGECONFIG[alsa] = "--enable-alsa,--disable-alsa,alsa-lib"
 PACKAGECONFIG[wayland] = "--enable-default-toolkit=cairo-gtk3-wayland,--enable-default-toolkit=cairo-gtk3,virtual/egl,"
 PACKAGECONFIG[gpu] = ",,,"
@@ -149,10 +146,8 @@ PACKAGECONFIG[forbid-multiple-compositors] = ",,,"
 PACKAGECONFIG[disable-sandboxed-libraries] = "--without-wasm-sandboxed-libraries,,,"
 PACKAGECONFIG[rust-simd] = "--enable-rust-simd,,"
 
-# nspr and nss dependencies are handled separately, due to requiring
-# different versions depending on Yocto version and CPU capabilities.
-PACKAGECONFIG[system-nspr] = "--with-system-nspr,,nspr-4.35,nspr-4.35"
-PACKAGECONFIG[system-nss] = "--with-system-nss,,nss-3.108,nss-3.108"
+PACKAGECONFIG[system-nspr] = "--with-system-nspr,,nspr,nspr"
+PACKAGECONFIG[system-nss] = "--with-system-nss,,nss,nss"
 PACKAGECONFIG[system-ffi] = "--with-system-ffi,,libffi,libffi"
 PACKAGECONFIG[system-icu] = "--with-system-icu,,icu,icu"
 PACKAGECONFIG[system-zlib] = "--with-system-zlib,,zlib,zlib"

meta-firefox/recipes-browser/firefox/firefox/0001-Add-option-to-disable-arm-hw-crypto-engine.patch

@@ -0,0 +1,86 @@
+From 0a3789949ffb04829eee00ebe28c785253ce7a96 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sun, 30 Mar 2025 14:14:06 +0200
+Subject: [PATCH] Add option to disable arm hw crypto engine
+
+On some older ARM SoC's there is no hardware support for cryptography.
+However the nss librray in Firefox expect this support to be present,
+which fails the build when this is not the case.
+
+To avoid this, introduce a new option that allows disabling building
+for ARM crypto engine when it is required.
+
+Upstream-Status: Pending
+---
+ moz.configure                     | 12 ++++++++++++
+ security/moz.build                |  3 +++
+ security/nss/coreconf/config.gypi |  6 +++---
+ 3 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/moz.configure b/moz.configure
+index 804b9a3..fd13950 100755
+--- a/moz.configure
++++ b/moz.configure
+@@ -517,6 +517,18 @@ def build_backend_defaults(
+     return tuple(all_backends) or None
+ 
+ 
++option(
++    "--nss-disable-arm-crypto",
++    default="0",
++    help="Build NSS libraries with HW crypto engine for ARM"
++)
++
++@depends("--nss-disable-arm-crypto")
++def nss_disable_arm_crypto(disable):
++    return disable
++
++set_config("DISABLE_NSS_ARM_HW_CRYPTO", nss_disable_arm_crypto)
++
+ option(
+     "--build-backends",
+     nargs="+",
+diff --git a/security/moz.build b/security/moz.build
+index b30e9c2..9c122e2 100644
+--- a/security/moz.build
++++ b/security/moz.build
+@@ -107,6 +107,9 @@ gyp_vars["enable_draft_hpke"] = 1
+ # build system ignores.
+ gyp_vars["iphone_deployment_target"] = "doesntmatter"
+ 
++# When set to 1, this disables building with arm hw crypto engine
++gyp_vars["arm_hw_crypto"] = CONFIG["DISABLE_NSS_ARM_HW_CRYPTO"]
++
+ # Clang can build NSS with its integrated assembler since version 9.
+ if (
+     CONFIG["TARGET_CPU"] == "x86_64"
+diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi
+index baf4256..e6e7160 100644
+--- a/security/nss/coreconf/config.gypi
++++ b/security/nss/coreconf/config.gypi
+@@ -101,9 +101,9 @@
+     'cc_is_gcc%': '<(cc_is_gcc)',
+     'cc_use_gnu_ld%': '<(cc_use_gnu_ld)',
+     # Some defaults
+-    'disable_arm_hw_aes%': 0,
+-    'disable_arm_hw_sha1%': 0,
+-    'disable_arm_hw_sha2%': 0,
++    'disable_arm_hw_aes%': '<(arm_hw_crypto)',
++    'disable_arm_hw_sha1%': '<(arm_hw_crypto)',
++    'disable_arm_hw_sha2%': '<(arm_hw_crypto)',
+     'disable_intel_hw_sha%': 0,
+     'disable_tests%': 0,
+     'disable_chachapoly%': 0,
+diff --git a/security/nss/lib/freebl/freebl.gyp b/security/nss/lib/freebl/freebl.gyp
+index 14f213c..09e29ac 100644
+--- a/security/nss/lib/freebl/freebl.gyp
++++ b/security/nss/lib/freebl/freebl.gyp
+@@ -606,7 +606,7 @@
+           'dependencies': [
+             'gcm-aes-x86_c_lib',
+           ]
+-        }, 'target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64"', {
++        }, '(disable_arm_hw_aes==0 or disable_arm_hw_sha1==0 or disable_arm_hw_sha2==0) and (target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64")', {
+           'dependencies': [
+             'armv8_c_lib',
+           ],