diff --git a/drivers/android/vendor_hooks.c b/drivers/android/vendor_hooks.c
index 8768e7e6c61a..44397e97ff23 100644
--- a/drivers/android/vendor_hooks.c
+++ b/drivers/android/vendor_hooks.c
@@ -62,6 +62,7 @@
 #include <trace/hooks/scmi.h>
 #include <trace/hooks/user.h>
 #include <trace/hooks/cpuidle_psci.h>
+#include <trace/hooks/fips140.h>
 
 /*
  * Export tracepoints that act as a bare tracehook (ie: have no trace event
@@ -321,3 +322,4 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_free_user);
 EXPORT_TRACEPOINT_SYMBOL_GPL(android_rvh_set_balance_anon_file_reclaim);
 EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_cpuidle_psci_enter);
 EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_cpuidle_psci_exit);
+EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_sha256);
diff --git a/include/trace/hooks/fips140.h b/include/trace/hooks/fips140.h
new file mode 100644
index 000000000000..10fe4bbaee08
--- /dev/null
+++ b/include/trace/hooks/fips140.h
@@ -0,0 +1,27 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM fips140
+#define TRACE_INCLUDE_PATH trace/hooks
+
+#if !defined(_TRACE_HOOK_FIPS140_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _TRACE_HOOK_FIPS140_H
+#include <linux/tracepoint.h>
+#include <trace/hooks/vendor_hooks.h>
+
+/*
+ * This hook exists only for the benefit of the FIPS140 crypto module, which
+ * uses it to swap out the underlying implementation with one that is integrity
+ * checked as per FIPS 140 requirements. No other uses are allowed or
+ * supported.
+ */
+DECLARE_HOOK(android_vh_sha256,
+	     TP_PROTO(const u8 *data,
+		      unsigned int len,
+		      u8 *out,
+		      int *hook_inuse),
+	     TP_ARGS(data, len, out, hook_inuse));
+
+#endif /* _TRACE_HOOK_FIPS140_H */
+
+/* This part must be outside protection */
+#include <trace/define_trace.h>
diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
index 2321f6cb322f..216a0d9787b0 100644
--- a/lib/crypto/sha256.c
+++ b/lib/crypto/sha256.c
@@ -17,6 +17,7 @@
 #include <linux/string.h>
 #include <crypto/sha.h>
 #include <asm/unaligned.h>
+#include <trace/hooks/fips140.h>
 
 static inline u32 Ch(u32 x, u32 y, u32 z)
 {
@@ -284,6 +285,14 @@ void sha256(const u8 *data, unsigned int len, u8 *out)
 {
 	struct sha256_state sctx;
 
+#if defined(CONFIG_CRYPTO_FIPS140) && !defined(BUILD_FIPS140_KO)
+	int hook_inuse = 0;
+
+	trace_android_vh_sha256(data, len, out, &hook_inuse);
+	if (hook_inuse)
+		return;
+#endif
+
 	sha256_init(&sctx);
 	sha256_update(&sctx, data, len);
 	sha256_final(&sctx, out);