It looks like the nss recipe was added to xenclient-oe in March 2018 as part of the UEFI project.
It also looks like there have been security updates to the software that are included in the more recent version of the recipe in openembedded-core. (There's at least one CVE addressed.)
Should the xenclient-oe version be upgraded?
nss was added because it is a dependency of the pesign tool, which was added to dom0 to support forward seal.