[release-branch.go1.24] doc/godebug: mention GODEBUG=fips140

ianlancetaylor · gopherbot · commit 0f7b7600fbf2 · 2025-02-19T13:59:08.000-08:00
For #71666 For #71745 Change-Id: Ice816cf2943c5b6660f05934b4c7ca38545714b0 Reviewed-on: https://go-review.googlesource.com/c/go/+/648520 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Commit-Queue: Ian Lance Taylor <iant@google.com> Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> (cherry picked from commit 5f65e5c) Reviewed-on: https://go-review.googlesource.com/c/go/+/650596 Reviewed-by: Michael Knyszek <mknyszek@google.com>
diff --git a/doc/godebug.md b/doc/godebug.md
@@ -153,6 +153,17 @@ and the [go command documentation](/cmd/go#hdr-Build_and_test_caching).
 
 ### Go 1.24
 
+Go 1.24 added a new `fips140` setting that controls whether the Go
+Cryptographic Module operates in FIPS 140-3 mode.
+The possible values are:
+- "off": no special support for FIPS 140-3 mode. This is the default.
+- "on": the Go Cryptographic Module operates in FIPS 140-3 mode.
+- "only": like "on", but cryptographic algorithms not approved by
+  FIPS 140-3 return an error or panic.
+For more information, see [FIPS 140-3 Compliance](/doc/security/fips140).
+This setting is fixed at program startup time, and can't be modified
+by changing the `GODEBUG` environment variable after the program starts.
+
 Go 1.24 changed the global [`math/rand.Seed`](/pkg/math/rand/#Seed) to be a
 no-op. This behavior is controlled by the `randseednop` setting.
 For Go 1.24 it defaults to `randseednop=1`.
