desktops: enable Widevine DRM out of the box on ARM64 desktops

[SuperKali]

Problem

HTML5 DRM streaming is broken on Armbian ARM64 desktop images — libwidevinecdm0 isn't installed by default (currently only via extensions/mesa-vpu.sh gated to rk3588/rk35xx + noble + vendor), and Chromium 128+ lost its silent software WebGL fallback (crbug.com/242999 · blink-dev Intent to Remove), breaking Netflix Akira / Disney+ / Prime Video init with opaque errors. Netflix on top of that gates on a ChromeOS UA — osname=linux is denied server-side regardless of architecture.

What this PR changes

Two commits, one goal: Netflix and every other HTML5 DRM player just work on ARM64 desktop images without launchers, extensions, or per-user setup.

Commit 1 — desktops/yaml: add widevine virtual token

• _resolve_browser in parse_desktop_yaml.py generalised to _resolve_virtual_token(token) so additional virtual tokens are cheap to add
• New widevine: map in common.yaml (noble arm64/armhf → libwidevinecdm0)
• widevine token added to the mid tier next to browser
• Combos with no mapping silently drop the token (same pattern as browser), so pre-populating this ahead of apt.armbian.com publishing the .deb is safe

Commit 2 — desktops/branding: chromium DRM drop-in + eval-aware wrapper

• New /etc/chromium.d/armbian-widevine drop-in with --enable-unsafe-swiftshader (fix WebGL) and --user-agent="...CrOS aarch64..." (fix Netflix osname=linux block)
• New /usr/bin/chromium.armbian wrapper — near-identical copy of the stock launcher but execs via eval so CHROMIUM_FLAGS entries containing spaces (any valid UA string) survive word-splitting
• module_desktop_branding.sh copies branding/browsers/usr/ to /usr/ and uses dpkg-divert to swap /usr/bin/chromium with a symlink to our wrapper, preserving the upstream at /usr/bin/chromium.upstream
• Future apt upgrade chromium lands the upstream wrapper in .upstream thanks to the divert; our symlink stays intact

Why these specific choices

• --enable-unsafe-swiftshader is a no-op where hardware WebGL works, only matters as fallback. Safe on every board. Rationale documented in the Chromium SwiftShader removal tracker and the Chrome Enterprise Policy page.
• The CrOS UA spoof is the only known workaround for Netflix's osname=linux server-side block. Raspberry Pi OS already hardcodes the same spoof in its chromium build (rpi-firmware discussion · Raspberry-Pi-OS-64bit#248). Asahi Linux documented the same workaround independently (da.vidbuchanan.co.uk blog · AsahiLinux/widevine-installer). Fedora ARM users reached the same conclusion (fedora discussion). We can't rebuild chromium, so the drop-in is the next-best surface.
• Safe because Chromium 107+ already freezes `navigator.platform` to `"Linux x86_64"` on every Linux host including ARM64 per the UA Reduction policy (Firefox followed with bugzilla #1861847), and Netflix does not request `Sec-CH-UA-Arch` via `Accept-CH` (MDN reference). So the fiction is contained to the legacy UA string; Client Hints headers and JS APIs keep reporting real values.
• The wrapper detour is needed because the stock /usr/bin/chromium does plain word-splitting on $CHROMIUM_FLAGS — a flag with spaces in its value (any --user-agent=...) gets shattered into garbage tokens. eval fixes it without rewriting the whole wrapper.

Verified on

• Board: Youyeetoo R1 v3 (RK3588), Armbian nightly 26.2.0-trunk.747, Ubuntu Noble, GNOME 46 on Wayland
• Stack: chromium 132.0.6834.159 (PPA liujianfeng1994/rockchip-multimedia), libwidevinecdm0 4.10.2662.3 (Raspberry Pi Foundation upstream repacked for noble — upstream pool)
• Opened Chromium from the normal desktop menu → Netflix loads, any title plays at SD quality (Widevine L3 ceiling). Disney+ / Prime Video / Spotify / YouTube DRM all work too.
• No launcher, no browser extension, no manual UA tweaking, no DevTools.

Scope / non-goals

• apt.armbian.com hosting of libwidevinecdm0 is handled separately (tracked with @igorpecovnik). Until the .deb is published the widevine: token resolves to a package name that doesn't exist on apt — this PR depends on that hosting being in place. Marking as DRAFT until then.
• Does not compile chromium in-house (apt.armbian.com mirrors xtradeb; this approach avoids taking over that).
• Widevine L1 / L2 impossible on ARM64 Linux in general (no TEE + OEMCrypto + Google-signed keybox) — L3 is the ceiling, which caps Netflix to ~480p. Confirmed by the Arch Linux Netflix E109 thread and the Asahi Linux Netflix post above. Out of scope here.
• Coverage currently noble arm64/armhf only. Other releases gain DRM automatically as soon as their entry is added to the widevine: map.

Depends on

• apt.armbian.com publishing libwidevinecdm0 for noble arm64/armhf

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 010f5c83-ef73-4708-8701-6e79d05506a9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}