[bdamm]

Nobody actually runs HSMs in FIPS mode anyway. FIPS certification just means it can be run in a FIPS mode, and that it did at one time pass the certification. So while it is a very useful hurdle to jump over, it is impractical to use (for the same reasons you mention, and others).

[hedora]

The only time I've paid close attention to a FIPS certification process, they forced us to substantially weaken the security posture of our product by making it easier for attackers to exfiltrate keys in certain circumstances (the product was designed to be run in trusted environments, and there were many less-theoretical attack vectors, but the FIPS process didn't care about those).

Anyway, it hasn't been a useful hurdle to jump over in my experience. At this point, if a system has a FIPS compliance mode, that lowers my opinion of its real-world security properties. If someone voluntarily insists on using FIPS-compliant stuff, I assume they're completely incompetent in all matters, professional and personal (that heuristic has worked for me 100% of the time).