On Thu, Feb 12, 2026 at 02:42:21AM +0000, Jay Wang wrote: > With this feature, FIPS certification is tied only to the crypto > module. Therefore, once the module is certified, loading this > certified module on newer kernels automatically makes those kernels > FIPS-certified. As a result, this approach can save re-certification > costs and 12-18 months of waiting time by reducing the need for > repeated FIPS re-certification cycles.
Let's be clear: this is possible only when the kernel has a stable ABI to the crypto module, which realistically isn't something that is going to be supported upstream. The Linux kernel is well-known for not maintaining a stable in-kernel ABI, for good reasons. So, the only case where this feature would have a benefit over the kernel's existing approach to FIPS 140 is in downstream kernels that maintain a stable in-kernel ABI. There would be no benefit to direct users of the mainline kernel or even the stable release series. For this to be considered for upstream there would need to be some level of consensus in the community to support this feature despite this. - Eric
