[PATCH 17/17] Add standalone crypto kernel module technical documentation
Eric Biggers
ebiggers at kernel.org
Tue Feb 24 17:55:17 PST 2026
On Thu, Feb 12, 2026 at 02:42:21AM +0000, Jay Wang wrote:
> With this feature, FIPS certification is tied only to the crypto
> module. Therefore, once the module is certified, loading this
> certified module on newer kernels automatically makes those kernels
> FIPS-certified. As a result, this approach can save re-certification
> costs and 12-18 months of waiting time by reducing the need for
> repeated FIPS re-certification cycles.
Let's be clear: this is possible only when the kernel has a stable ABI
to the crypto module, which realistically isn't something that is going
to be supported upstream. The Linux kernel is well-known for not
maintaining a stable in-kernel ABI, for good reasons.
So, the only case where this feature would have a benefit over the
kernel's existing approach to FIPS 140 is in downstream kernels that
maintain a stable in-kernel ABI. There would be no benefit to direct
users of the mainline kernel or even the stable release series.
For this to be considered for upstream there would need to be some level
of consensus in the community to support this feature despite this.
- Eric
More information about the linux-arm-kernel
mailing list