diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c
--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode	2017-01-13 17:01:05.278296965 +0100
+++ nss/lib/pk11wrap/pk11pars.c	2017-01-13 17:04:52.968903200 +0100
@@ -672,6 +672,10 @@ SECMOD_CreateModuleEx(const char *librar
 
     mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
     mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
+    /* if the system FIPS mode is enabled, force FIPS to be on */
+    if (SECMOD_GetSystemFIPSEnabled()) {
+	mod->isFIPS = PR_TRUE;
+    }
     mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);
     slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
     mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c
--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode	2017-01-13 17:01:05.278296965 +0100
+++ nss/lib/pk11wrap/pk11util.c	2017-01-13 17:06:24.171723872 +0100
@@ -94,6 +94,26 @@ SECMOD_Shutdown()
     return SECSuccess;
 }
 
+int SECMOD_GetSystemFIPSEnabled(void) {
+#ifdef LINUX
+    FILE *f;
+    char d;
+    size_t size;
+
+    f = fopen("/proc/sys/crypto/fips_enabled", "r");
+    if (!f)
+        return 0;
+
+    size = fread(&d, 1, 1, f);
+    fclose(f);
+    if (size != 1)
+        return 0;
+    if (d == '1')
+        return 1;
+#endif
+    return 0;
+}
+
 /*
  * retrieve the internal module
  */
@@ -427,7 +447,7 @@ SECMOD_DeleteInternalModule(const char *
     SECMODModuleList **mlpp;
     SECStatus rv = SECFailure;
 
-    if (pendingModule) {
+    if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
         PORT_SetError(SEC_ERROR_MODULE_STUCK);
         return rv;
     }
@@ -902,7 +922,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis
 PRBool
 SECMOD_CanDeleteInternalModule(void)
 {
-    return (PRBool)(pendingModule == NULL);
+    return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
 }
 
 /*
diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h
--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode	2017-01-13 17:01:05.278296965 +0100
+++ nss/lib/pk11wrap/secmodi.h	2017-01-13 17:07:08.897624098 +0100
@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
 CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
                                              SECItem **param, SECItem *pwd, PRBool faulty3DES);
 
+/* Get the state of the system FIPS mode */
+/* NSS uses this to force FIPS mode if the system bit is on. Applications which
+ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
+ * from FIPS mode will automatically be told that they can't swith out of FIPS
+ * mode */
+int SECMOD_GetSystemFIPSEnabled();
+
 extern void pk11sdr_Init(void);
 extern void pk11sdr_Shutdown(void);