diff --git a/configure.ac b/configure.ac
index 8621e7489..2b647dade 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4452,25 +4452,6 @@ then
     ENABLED_CURVE25519="yes"
 fi
 
-if test "$ENABLED_CURVE25519" != "no"
-then
-    if test "$ENABLED_CURVE25519" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
-    then
-        AM_CFLAGS="$AM_CFLAGS -DCURVE25519_SMALL"
-        ENABLED_CURVE25519_SMALL=yes
-        ENABLED_CURVE25519=yes
-    fi
-
-    if test "$ENABLED_CURVE25519" = "no128bit" || test "$ENABLED_32BIT" = "yes"
-    then
-        AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_128BIT"
-    fi
-
-    AM_CFLAGS="$AM_CFLAGS -DHAVE_CURVE25519"
-    AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_CURVE25519"
-    ENABLED_FEMATH=yes
-fi
-
 
 # ED25519
 AC_ARG_ENABLE([ed25519],
@@ -9799,12 +9780,12 @@ then
     ENABLED_OPENSSLEXTRA="yes"
 fi
 
-if test "$ENABLED_CURVE25519" != "no" && test "$ENABLED_LINUXKM_DEFAULTS" = "yes"
+if test "$ENABLED_CURVE25519" != "no" && test "$ENABLED_CURVE25519" != "asm" && test "$ENABLED_LINUXKM_DEFAULTS" = "yes"
 then
     ENABLED_CURVE25519=noasm
 fi
 
-if test "$ENABLED_ED25519" != "no" && test "$ENABLED_LINUXKM_DEFAULTS" = "yes"
+if test "$ENABLED_ED25519" != "no" && test "$ENABLED_ED25519" != "asm" && test "$ENABLED_LINUXKM_DEFAULTS" = "yes"
 then
     ENABLED_ED25519=noasm
 fi
@@ -9814,18 +9795,37 @@ then
     AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_X64"
 fi
 
+if test "$ENABLED_CURVE25519" != "no"
+then
+    if test "$ENABLED_CURVE25519" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
+    then
+        AM_CFLAGS="$AM_CFLAGS -DCURVE25519_SMALL"
+        ENABLED_CURVE25519_SMALL=yes
+    fi
+
+    if test "$ENABLED_CURVE25519" = "no128bit" || test "$ENABLED_32BIT" = "yes"
+    then
+        AM_CFLAGS="$AM_CFLAGS -DNO_CURVED25519_128BIT"
+    fi
+
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_CURVE25519"
+    AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_CURVE25519"
+    ENABLED_FEMATH=yes
+fi
+
 if test "$ENABLED_ED25519" != "no"
 then
     if test "$ENABLED_ED25519" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
     then
+        AM_CFLAGS="$AM_CFLAGS -DED25519_SMALL"
         ENABLED_ED25519_SMALL=yes
         ENABLED_CURVE25519_SMALL=yes
-        ENABLED_ED25519=yes
     fi
 
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519"
+    AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_ED25519"
     ENABLED_FEMATH=yes
     ENABLED_GEMATH=yes
-    ENABLED_CERTS=yes
 fi
 
 if test "$ENABLED_ED25519" != "no" || test "$ENABLED_ED448" != "no"
@@ -9988,13 +9988,6 @@ AS_IF([test "x$ENABLED_CERTGEN" = "xyes"],
 AS_IF([test "x$ENABLED_CERTEXT" = "xyes"],
       [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"])
 
-AS_IF([test "$ENABLED_ED25519" != "no"],
-      [AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519"
-       AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_ED25519"])
-
-AS_IF([test "x$ENABLED_ED25519_SMALL" = "xyes"],
-      [AM_CFLAGS="$AM_CFLAGS -DED25519_SMALL"])
-
 AS_IF([test "x$ENABLED_OCSP" = "xyes"],
       [AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP"])
 
diff --git a/linuxkm/lkcapi_glue.c b/linuxkm/lkcapi_glue.c
index 056add3b8..015564338 100644
--- a/linuxkm/lkcapi_glue.c
+++ b/linuxkm/lkcapi_glue.c
@@ -499,15 +499,24 @@ static int linuxkm_lkcapi_register(void)
 
 #ifdef LINUXKM_LKCAPI_REGISTER_ECDH
 
-    #if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) &&    \
-        defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \
-        defined(CONFIG_CRYPTO_MANAGER) &&                    \
+   /* In kernels before 5.13.0, ecdh-nist-p256 was not recognized as
+    * fips_allowed, and ecdh-nist-p384 was completely
+    * missing before 5.14 and not fips_allowed before 5.15.
+    *
+    * RedHat also recently patched their crypto manager to mark ECDH
+    * !fips_allowed due the vagaries of their own certificate.  (See 5074fb61f6,
+    * 2025-Mar-13.)
+    *
+    * Given the above, and given we're not actually relying on the crypto
+    * manager for FIPS self tests, and given the FIPS ECDH implementation passes
+    * the non-FIPS ECDH crypto manager tests, the pragmatic solution we settle
+    * on here for ECDH is to always clear fips_enabled in target kernels that
+    * have it.
+    */
+
+    #if defined(CONFIG_CRYPTO_FIPS) &&                \
+        defined(CONFIG_CRYPTO_MANAGER) &&             \
         !defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
-        /*
-         * In kernel crypto/testmgr.c, ecdh-nist-p256 was not recognized as
-         * fips_allowed before 5.13, and ecdh-nist-p384 was completely
-         * missing before 5.14 and not fips_allowed before 5.15.
-         */
         fips_enabled = 0;
     #endif
 
@@ -522,9 +531,8 @@ static int linuxkm_lkcapi_register(void)
     REGISTER_ALG(ecdh_nist_p384, kpp,
                  linuxkm_test_ecdh_nist_p384);
 
-    #if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)) &&    \
-        defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_FIPS) && \
-        defined(CONFIG_CRYPTO_MANAGER) &&                    \
+    #if defined(CONFIG_CRYPTO_FIPS) &&                \
+        defined(CONFIG_CRYPTO_MANAGER) &&             \
         !defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
         fips_enabled = 1;
     #endif