From f2590e74cdcd8fb1aa6e8c0fcb4c9d6d5dae80db Mon Sep 17 00:00:00 2001
From: Rob Glossop <robgssp@gmail.com>
Date: Wed, 23 Aug 2023 00:06:14 -0700
Subject: [PATCH] Add arm64 widevine support to chromium

We use a patched glibc to get around an issue with DT_RELR support
checking against the prebuilt widevine lib.
---
 .../networking/browsers/chromium/default.nix  | 52 ++++++++++++++-----
 .../chromium/glibc-no-relr-check.patch        | 13 +++++
 2 files changed, 52 insertions(+), 13 deletions(-)
 create mode 100644 pkgs/applications/networking/browsers/chromium/glibc-no-relr-check.patch

diff --git a/pkgs/applications/networking/browsers/chromium/default.nix b/pkgs/applications/networking/browsers/chromium/default.nix
index 6419fa6a14fd604..6efd23aff567554 100644
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@@ -2,7 +2,7 @@
 , buildPackages
 , llvmPackages_16
 , ed, gnugrep, coreutils, xdg-utils
-, glib, gtk3, gtk4, gnome, gsettings-desktop-schemas, gn, fetchgit
+, glib, glibc, gtk3, gtk4, gnome, gsettings-desktop-schemas, gn, fetchgit
 , libva, pipewire, wayland
 , gcc, nspr, nss, runCommand
 , lib, libkrb5
@@ -78,7 +78,12 @@ let
     (if channel == "ungoogled-chromium" then "stable" else channel);
   pkgName = "google-chrome-${pkgSuffix}";
   chromeSrc =
-    let
+    if stdenv.hostPlatform.system == "aarch64-linux" then
+      fetchurl {
+        url = "https://archive.raspberrypi.org/debian/pool/main/w/widevine/libwidevinecdm0_4.10.2252.0+3_arm64.deb";
+        sha256 = "1122awhw8dxckjdi3c92dfvldw94bcdz27xvqfsv8k591hhvp2y8";
+      }
+    else let
       # Use the latest stable Chrome version if necessary:
       version = if chromium.upstream-info.sha256bin64 != null
         then chromium.upstream-info.version
@@ -104,7 +109,9 @@ let
 
     unpackCmd = let
       widevineCdmPath =
-        if (channel == "stable" || channel == "ungoogled-chromium") then
+        if stdenv.hostPlatform.system == "aarch64-linux" then
+          "./opt/WidevineCdm"
+        else if (channel == "stable" || channel == "ungoogled-chromium") then
           "./opt/google/chrome/WidevineCdm"
         else if channel == "beta" then
           "./opt/google/chrome-beta/WidevineCdm"
@@ -131,9 +138,16 @@ let
 
     PATCH_RPATH = mkrpath [ gcc.cc glib nspr nss ];
 
-    patchPhase = ''
-      patchelf --set-rpath "$PATCH_RPATH" _platform_specific/linux_x64/libwidevinecdm.so
-    '';
+    patchPhase = if stdenv.hostPlatform.system == "x86_64-linux" then
+      ''
+        patchelf --set-rpath "$PATCH_RPATH" _platform_specific/linux_x64/libwidevinecdm.so
+      ''
+     else if stdenv.hostPlatform.system == "aarch64-linux" then
+      ''
+        patchelf --set-rpath "$PATCH_RPATH:\$ORIGIN" _platform_specific/linux_arm64/libwidevinecdm.so
+        patchelf --set-rpath "$PATCH_RPATH" _platform_specific/linux_arm64/libwidevinecdm_real.so
+      ''
+     else throw "Unsupported platform";
 
     installPhase = ''
       mkdir -p $out/WidevineCdm
@@ -141,7 +155,7 @@ let
     '';
 
     meta = {
-      platforms = [ "x86_64-linux" ];
+      platforms = [ "x86_64-linux" "aarch64-linux" ];
       license = lib.licenses.unfree;
     };
   };
@@ -150,17 +164,29 @@ let
 
   sandboxExecutableName = chromium.browser.passthru.sandboxExecutableName;
 
+  # aarch64's prebuilt widevine includes DT_RELR relocations without
+  # the GLIBC_ABI_DT_RELR symbol glibc expects. Disable the check for
+  # chrome. See discussion at
+  # https://github.com/raspberrypi/Raspberry-Pi-OS-64bit/issues/248
+  patchedGlibc = glibc.overrideAttrs (self: super: {
+    name = "glibc-widevine-${super.version}";
+    patches = super.patches ++ [ ./glibc-no-relr-check.patch ];
+  });
+
   # We want users to be able to enableWideVine without rebuilding all of
   # chromium, so we have a separate derivation here that copies chromium
   # and adds the unfree WidevineCdm.
   chromiumWV = let browser = chromium.browser; in if enableWideVine then
     runCommand (browser.name + "-wv") { version = browser.version; }
-      ''
-        mkdir -p $out
-        cp -a ${browser}/* $out/
-        chmod u+w $out/libexec/chromium
-        cp -a ${widevineCdm}/WidevineCdm $out/libexec/chromium/
-      ''
+      (''
+         mkdir -p $out
+         cp -a ${browser}/* $out/
+         chmod u+w $out/libexec/chromium
+         cp -a ${widevineCdm}/WidevineCdm $out/libexec/chromium/
+       '' + lib.optionalString (stdenv.hostPlatform.system == "aarch64-linux") ''
+         chmod u+w $out/libexec/chromium/chromium
+         patchelf --set-interpreter ${patchedGlibc}/lib/ld-linux-aarch64.so.1 $out/libexec/chromium/chromium
+       '')
     else browser;
 
 in stdenv.mkDerivation {
diff --git a/pkgs/applications/networking/browsers/chromium/glibc-no-relr-check.patch b/pkgs/applications/networking/browsers/chromium/glibc-no-relr-check.patch
new file mode 100644
index 000000000000000..c85692c586502f5
--- /dev/null
+++ b/pkgs/applications/networking/browsers/chromium/glibc-no-relr-check.patch
@@ -0,0 +1,13 @@
+diff --git a/elf/dl-version.c b/elf/dl-version.c
+index 5b8693de04..c2bb39bc57 100644
+--- a/elf/dl-version.c
++++ b/elf/dl-version.c
+@@ -362,7 +362,7 @@ _dl_check_map_versions (struct link_map *map, int verbose, int trace_mode)
+   /* When there is a DT_VERNEED entry with libc.so on DT_NEEDED, issue
+      an error if there is a DT_RELR entry without GLIBC_ABI_DT_RELR
+      dependency.  */
+-  if (dyn != NULL
++  if (0 && dyn != NULL
+       && map->l_info[DT_NEEDED] != NULL
+       && map->l_info[DT_RELR] != NULL
+       && __glibc_unlikely (!map->l_dt_relr_ref))