3 files changed, 27 insertions, 0 deletions

diff --git a/src/runtime/fipsbypass.go b/src/runtime/fipsbypass.go
new file mode 100644
index 0000000000..12df9c6b6a
--- /dev/null
+++ b/src/runtime/fipsbypass.go
@@ -0,0 +1,22 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package runtime
+
+import _ "unsafe"
+
+//go:linkname fips140_setBypass crypto/fips140.setBypass
+func fips140_setBypass() {
+	getg().fipsOnlyBypass = true
+}
+
+//go:linkname fips140_unsetBypass crypto/fips140.unsetBypass
+func fips140_unsetBypass() {
+	getg().fipsOnlyBypass = false
+}
+
+//go:linkname fips140_isBypassed crypto/fips140.isBypassed
+func fips140_isBypassed() bool {
+	return getg().fipsOnlyBypass
+}
diff --git a/src/runtime/proc.go b/src/runtime/proc.go
index 58fb4bd681..3b98be1074 100644
--- a/src/runtime/proc.go
+++ b/src/runtime/proc.go
@@ -4481,6 +4481,7 @@ func gdestroy(gp *g) {
 	gp.labels = nil
 	gp.timer = nil
 	gp.bubble = nil
+	gp.fipsOnlyBypass = false
 
 	if gcBlackenEnabled != 0 && gp.gcAssistBytes > 0 {
 		// Flush assist credit to the global pool. This gives
@@ -5325,6 +5326,9 @@ func newproc1(fn *funcval, callergp *g, callerpc uintptr, parked bool, waitreaso
 		traceRelease(trace)
 	}
 
+	// fips140 bubble
+	newg.fipsOnlyBypass = callergp.fipsOnlyBypass
+
 	// Set up race context.
 	if raceenabled {
 		newg.racectx = racegostart(callerpc)
diff --git a/src/runtime/runtime2.go b/src/runtime/runtime2.go
index 3175ee55f5..58eaf80237 100644
--- a/src/runtime/runtime2.go
+++ b/src/runtime/runtime2.go
@@ -545,6 +545,7 @@ type g struct {
 	runnableTime    int64 // the amount of time spent runnable, cleared when running, only used when tracking
 	lockedm         muintptr
 	fipsIndicator   uint8
+	fipsOnlyBypass  bool
 	syncSafePoint   bool // set if g is stopped at a synchronous safe point.
 	runningCleanups atomic.Bool
 	sig             uint32