Index: head/security/nss/files/patch-bug1575843
===================================================================
--- head/security/nss/files/patch-bug1575843	(revision 510138)
+++ head/security/nss/files/patch-bug1575843	(revision 510139)
@@ -1,104 +1,104 @@
 Detect ARM CPU features on FreeBSD.
 
 elf_aux_info is similar to getauxval but is nop on aarch64.
 
 --- lib/freebl/blinit.c.orig	2019-07-05 16:02:31 UTC
 +++ lib/freebl/blinit.c
 @@ -96,8 +96,8 @@ CheckX86CPUSupport()
  #ifndef __has_include
  #define __has_include(x) 0
  #endif
 -#if (__has_include(<sys/auxv.h>) || defined(__linux__)) && \
 -    defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)
 +#if defined(__linux__)
 +#if defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)
  /* This might be conflict with host compiler */
  #if !defined(__ANDROID__)
  #include <sys/auxv.h>
 @@ -106,6 +106,10 @@ extern unsigned long getauxval(unsigned long type) __a
  #else
  static unsigned long (*getauxval)(unsigned long) = NULL;
  #endif /* defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)*/
 +#elif defined(__FreeBSD__) && __has_include(<sys/auxv.h>)
 +#include <sys/auxv.h>
 +#define HAVE_ELF_AUX_INFO
 +#endif /* defined(__linux__) */
  
  #ifndef AT_HWCAP2
  #define AT_HWCAP2 26
 @@ -118,6 +122,9 @@ static unsigned long (*getauxval)(unsigned long) = NUL
  /* clang-format on */
  
  #if defined(__aarch64__)
 +#if defined(__FreeBSD__)
 +#include <machine/armreg.h>
 +#endif
  // Defines from hwcap.h in Linux kernel - ARM64
  #ifndef HWCAP_AES
  #define HWCAP_AES (1 << 3)
 @@ -137,6 +144,7 @@ CheckARMSupport()
  {
      char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
      char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
 +#if defined(__linux__)
      if (getauxval) {
          long hwcaps = getauxval(AT_HWCAP);
          arm_aes_support_ = hwcaps & HWCAP_AES && disable_hw_aes == NULL;
 @@ -144,6 +152,14 @@ CheckARMSupport()
          arm_sha1_support_ = hwcaps & HWCAP_SHA1;
          arm_sha2_support_ = hwcaps & HWCAP_SHA2;
      }
 +#elif defined(__FreeBSD__)
 +    uint64_t id_aa64isar0;
 +    id_aa64isar0 = READ_SPECIALREG(ID_AA64ISAR0_EL1);
-+    arm_aes_support_ = ID_AA64ISAR0_AES(id_aa64isar0) == ID_AA64ISAR0_AES_BASE && disable_hw_aes == NULL;
++    arm_aes_support_ = ID_AA64ISAR0_AES(id_aa64isar0) >= ID_AA64ISAR0_AES_BASE && disable_hw_aes == NULL;
 +    arm_pmull_support_ = ID_AA64ISAR0_AES(id_aa64isar0) == ID_AA64ISAR0_AES_PMULL;
 +    arm_sha1_support_ = ID_AA64ISAR0_SHA1(id_aa64isar0) == ID_AA64ISAR0_SHA1_BASE;
-+    arm_sha2_support_ = ID_AA64ISAR0_SHA2(id_aa64isar0) == ID_AA64ISAR0_SHA2_BASE;
++    arm_sha2_support_ = ID_AA64ISAR0_SHA2(id_aa64isar0) >= ID_AA64ISAR0_SHA2_BASE;
 +#endif /* defined(__linux__) */
      /* aarch64 must support NEON. */
      arm_neon_support_ = disable_arm_neon == NULL;
  }
 @@ -186,7 +202,7 @@ GetNeonSupport()
      // If no getauxval, compiler generate NEON instruction by default,
      // we should allow NOEN support.
      return PR_TRUE;
 -#elif !defined(__ANDROID__)
 +#elif defined(__linux__) && !defined(__ANDROID__)
      // Android's cpu-features.c detects features by the following logic
      //
      // - Call getauxval(AT_HWCAP)
 @@ -200,6 +216,10 @@ GetNeonSupport()
      if (getauxval) {
          return (getauxval(AT_HWCAP) & HWCAP_NEON);
      }
 +#elif defined(__FreeBSD__) && defined(HAVE_ELF_AUX_INFO)
 +    unsigned long hwcap = 0;
 +    elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap));
 +    return (hwcap & HWCAP_NEON);
  #endif /* defined(__ARM_NEON) || defined(__ARM_NEON__) */
      return PR_FALSE;
  }
 @@ -208,6 +228,7 @@ void
  CheckARMSupport()
  {
      char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
 +#if defined(__linux__)
      if (getauxval) {
          // Android's cpu-features.c uses AT_HWCAP2 for newer features.
          // AT_HWCAP2 is implemented on newer devices / kernel, so we can trust
 @@ -216,6 +237,14 @@ CheckARMSupport()
          // AT_HWCAP2 isn't supported by glibc or Linux kernel, getauxval will
          // returns 0.
          long hwcaps = getauxval(AT_HWCAP2);
 +#elif defined(__FreeBSD__) && defined(HAVE_ELF_AUX_INFO)
 +    unsigned long hwcaps = 0;
 +    elf_aux_info(AT_HWCAP2, &hwcaps, sizeof(hwcaps));
 +    {
 +#else
 +    if (0) {
 +        unsigned long hwcaps = 0;
 +#endif /* defined(__linux__) */
          arm_aes_support_ = hwcaps & HWCAP2_AES && disable_hw_aes == NULL;
          arm_pmull_support_ = hwcaps & HWCAP2_PMULL;
          arm_sha1_support_ = hwcaps & HWCAP2_SHA1;
Index: head/security/nss/files/patch-lib_freebl_blinit.c
===================================================================
--- head/security/nss/files/patch-lib_freebl_blinit.c	(revision 510138)
+++ head/security/nss/files/patch-lib_freebl_blinit.c	(revision 510139)
@@ -1,27 +1,27 @@
 qemu:handle_cpu_signal received signal outside vCPU context
 
 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240037
 
 --- lib/freebl/blinit.c.orig	2019-07-05 16:02:31 UTC
 +++ lib/freebl/blinit.c
 @@ -153,12 +153,14 @@ CheckARMSupport()
          arm_sha2_support_ = hwcaps & HWCAP_SHA2;
      }
  #elif defined(__FreeBSD__)
 -    uint64_t id_aa64isar0;
 -    id_aa64isar0 = READ_SPECIALREG(ID_AA64ISAR0_EL1);
--    arm_aes_support_ = ID_AA64ISAR0_AES(id_aa64isar0) == ID_AA64ISAR0_AES_BASE && disable_hw_aes == NULL;
+-    arm_aes_support_ = ID_AA64ISAR0_AES(id_aa64isar0) >= ID_AA64ISAR0_AES_BASE && disable_hw_aes == NULL;
 -    arm_pmull_support_ = ID_AA64ISAR0_AES(id_aa64isar0) == ID_AA64ISAR0_AES_PMULL;
 -    arm_sha1_support_ = ID_AA64ISAR0_SHA1(id_aa64isar0) == ID_AA64ISAR0_SHA1_BASE;
--    arm_sha2_support_ = ID_AA64ISAR0_SHA2(id_aa64isar0) == ID_AA64ISAR0_SHA2_BASE;
+-    arm_sha2_support_ = ID_AA64ISAR0_SHA2(id_aa64isar0) >= ID_AA64ISAR0_SHA2_BASE;
 +    if (!PR_GetEnvSecure("QEMU_EMULATING")) {
 +        uint64_t id_aa64isar0;
 +        id_aa64isar0 = READ_SPECIALREG(ID_AA64ISAR0_EL1);
-+        arm_aes_support_ = ID_AA64ISAR0_AES(id_aa64isar0) == ID_AA64ISAR0_AES_BASE && disable_hw_aes == NULL;
++        arm_aes_support_ = ID_AA64ISAR0_AES(id_aa64isar0) >= ID_AA64ISAR0_AES_BASE && disable_hw_aes == NULL;
 +        arm_pmull_support_ = ID_AA64ISAR0_AES(id_aa64isar0) == ID_AA64ISAR0_AES_PMULL;
 +        arm_sha1_support_ = ID_AA64ISAR0_SHA1(id_aa64isar0) == ID_AA64ISAR0_SHA1_BASE;
-+        arm_sha2_support_ = ID_AA64ISAR0_SHA2(id_aa64isar0) == ID_AA64ISAR0_SHA2_BASE;
++        arm_sha2_support_ = ID_AA64ISAR0_SHA2(id_aa64isar0) >= ID_AA64ISAR0_SHA2_BASE;
 +    }
  #endif /* defined(__linux__) */
      /* aarch64 must support NEON. */
      arm_neon_support_ = disable_arm_neon == NULL;
Index: head/www/chromium/files/patch-third__party_boringssl_src_crypto_cpu-aarch64-linux.c
===================================================================
--- head/www/chromium/files/patch-third__party_boringssl_src_crypto_cpu-aarch64-linux.c	(revision 510138)
+++ head/www/chromium/files/patch-third__party_boringssl_src_crypto_cpu-aarch64-linux.c	(revision 510139)
@@ -1,63 +1,63 @@
 --- third_party/boringssl/src/crypto/cpu-aarch64-linux.c.orig	2019-04-30 22:25:51 UTC
 +++ third_party/boringssl/src/crypto/cpu-aarch64-linux.c
 @@ -14,49 +14,35 @@
  
  #include <openssl/cpu.h>
  
 -#if defined(OPENSSL_AARCH64) && defined(OPENSSL_LINUX) && \
 -    !defined(OPENSSL_STATIC_ARMCAP)
 +#if defined(OPENSSL_AARCH64)
  
 -#include <sys/auxv.h>
 -
  #include <openssl/arm_arch.h>
  
  #include "internal.h"
  
 -
  extern uint32_t OPENSSL_armcap_P;
  
 +#include <sys/types.h>
 +#include <machine/armreg.h>
 +
  void OPENSSL_cpuid_setup(void) {
 -  unsigned long hwcap = getauxval(AT_HWCAP);
 +  uint64_t id_aa64isar0;
  
 -  // See /usr/include/asm/hwcap.h on an aarch64 installation for the source of
 -  // these values.
 -  static const unsigned long kNEON = 1 << 1;
 -  static const unsigned long kAES = 1 << 3;
 -  static const unsigned long kPMULL = 1 << 4;
 -  static const unsigned long kSHA1 = 1 << 5;
 -  static const unsigned long kSHA256 = 1 << 6;
 +  id_aa64isar0 = READ_SPECIALREG(ID_AA64ISAR0_EL1);
  
 -  if ((hwcap & kNEON) == 0) {
 -    // Matching OpenSSL, if NEON is missing, don't report other features
 -    // either.
 -    return;
 -  }
 -
    OPENSSL_armcap_P |= ARMV7_NEON;
  
 -  if (hwcap & kAES) {
-+  if (ID_AA64ISAR0_AES(id_aa64isar0) == ID_AA64ISAR0_AES_BASE) {
++  if (ID_AA64ISAR0_AES(id_aa64isar0) >= ID_AA64ISAR0_AES_BASE) {
      OPENSSL_armcap_P |= ARMV8_AES;
    }
 -  if (hwcap & kPMULL) {
 +  if (ID_AA64ISAR0_AES(id_aa64isar0) == ID_AA64ISAR0_AES_PMULL) {
      OPENSSL_armcap_P |= ARMV8_PMULL;
    }
 -  if (hwcap & kSHA1) {
 +  if (ID_AA64ISAR0_SHA1(id_aa64isar0) == ID_AA64ISAR0_SHA1_BASE) {
      OPENSSL_armcap_P |= ARMV8_SHA1;
    }
 -  if (hwcap & kSHA256) {
-+  if(ID_AA64ISAR0_SHA2(id_aa64isar0) == ID_AA64ISAR0_SHA2_BASE) {
++  if(ID_AA64ISAR0_SHA2(id_aa64isar0) >= ID_AA64ISAR0_SHA2_BASE) {
      OPENSSL_armcap_P |= ARMV8_SHA256;
    }
  }
 -
 -#endif  // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP
 +#endif  // OPENSSL_AARCH64