From fc5fb3c925258eb85c8802ea965ec4a5d389775c Mon Sep 17 00:00:00 2001
From: Pauli <ppzgs1@gmail.com>
Date: Fri, 20 Sep 2024 08:59:40 +1000
Subject: [PATCH] fips: mention the internal jitter source in the FIPS README

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25498)
---
 README-FIPS.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/README-FIPS.md b/README-FIPS.md
index d8ca3c482d..c15cbad67c 100644
--- a/README-FIPS.md
+++ b/README-FIPS.md
@@ -167,6 +167,22 @@ manual page.
 
  [fips_module(7)]: https://www.openssl.org/docs/manmaster/man7/fips_module.html
 
+Entropy Source
+==============
+
+The FIPS provider typically relies on an external entropy source,
+specified during OpenSSL build configuration (default: `os`).  However, by
+enabling the `enable-fips-jitter` option during configuration, an internal
+jitter entropy source will be used instead.  Note that this will cause
+the FIPS provider to operate in a non-compliant mode unless an entropy
+assessment [ESV] and validation through the [CMVP] are additionally conducted.
+
+Note that the `enable-fips-jitter` option is only available in OpenSSL
+versions 3.5 and later.
+
+ [CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
+ [ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
+
 3rd-Party Vendor Builds
 =====================================