diff --git a/drivers/android/vendor_hooks.c b/drivers/android/vendor_hooks.c
index 69f07c0f64fe..1a14e7caf785 100644
--- a/drivers/android/vendor_hooks.c
+++ b/drivers/android/vendor_hooks.c
@@ -20,6 +20,7 @@
 #include <trace/hooks/epoch.h>
 #include <trace/hooks/cpufreq.h>
 #include <trace/hooks/preemptirq.h>
+#include <trace/hooks/fips140.h>
 #include <trace/hooks/ufshcd.h>
 #include <trace/hooks/cgroup.h>
 #include <trace/hooks/sys.h>
@@ -138,6 +139,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_ftrace_oops_exit);
 EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_ftrace_size_check);
 EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_ftrace_format_check);
 EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_ftrace_dump_buffer);
+EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_sha256);
 EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_mem_cgroup_free);
 EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_mem_cgroup_alloc);
 EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_cma_alloc_bypass);
diff --git a/include/trace/hooks/fips140.h b/include/trace/hooks/fips140.h
new file mode 100644
index 000000000000..bfadf5122b1c
--- /dev/null
+++ b/include/trace/hooks/fips140.h
@@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM fips140
+#define TRACE_INCLUDE_PATH trace/hooks
+
+#if !defined(_TRACE_HOOK_FIPS140_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _TRACE_HOOK_FIPS140_H
+#include <trace/hooks/vendor_hooks.h>
+
+/*
+ * These hooks exist only for the benefit of the FIPS140 crypto module, which
+ * uses them to swap out the underlying implementation with one that is integrity
+ * checked as per FIPS 140 requirements. No other uses are allowed or supported.
+ */
+
+DECLARE_HOOK(android_vh_sha256,
+	     TP_PROTO(const u8 *data,
+		      unsigned int len,
+		      u8 *out,
+		      int *hook_inuse),
+	     TP_ARGS(data, len, out, hook_inuse));
+
+#endif /* _TRACE_HOOK_FIPS140_H */
+
+/* This part must be outside protection */
+#include <trace/define_trace.h>
diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
index 04c1f2557e6c..d4194fff1d4b 100644
--- a/lib/crypto/sha256.c
+++ b/lib/crypto/sha256.c
@@ -16,6 +16,7 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/string.h>
+#include <trace/hooks/fips140.h>
 
 static const u32 SHA256_K[] = {
 	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
@@ -159,6 +160,14 @@ void sha256(const u8 *data, unsigned int len, u8 *out)
 {
 	struct sha256_state sctx;
 
+#ifndef __DISABLE_EXPORTS
+	int hook_inuse = 0;
+
+	trace_android_vh_sha256(data, len, out, &hook_inuse);
+	if (hook_inuse)
+		return;
+#endif
+
 	sha256_init(&sctx);
 	sha256_update(&sctx, data, len);
 	sha256_final(&sctx, out);