diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
index 2c68d0b00..a7995c151 100644
--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -605,6 +605,7 @@ WC_RSA_NO_FERMAT_CHECK
 WC_SHA384
 WC_SHA384_DIGEST_SIZE
 WC_SHA512
+WC_SKIP_INCLUDED_C_FILES
 WC_SSIZE_TYPE
 WC_STRICT_SIG
 WC_WANT_FLAG_DONT_USE_AESNI
diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h
index 14f8ae693..ff20e326d 100644
--- a/linuxkm/linuxkm_wc_port.h
+++ b/linuxkm/linuxkm_wc_port.h
@@ -422,6 +422,17 @@
             #define WC_AES_XTS_SUPPORT_SIMULTANEOUS_ENC_AND_DEC_KEYS
         #endif
 
+        /* setup for LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT needs to be here
+         * to assure that calls to get_random_bytes() in random.c are gated out
+         * (they would recurse, potentially infinitely).
+         */
+        #if (defined(LINUXKM_LKCAPI_REGISTER_ALL) && \
+             !defined(LINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG) && \
+             !defined(LINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG_DEFAULT)) && \
+            !defined(LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT)
+            #define LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT
+        #endif
+
         #ifndef __PIE__
             #include <linux/crypto.h>
             #include <linux/scatterlist.h>
diff --git a/linuxkm/lkcapi_aes_glue.c b/linuxkm/lkcapi_aes_glue.c
index cb5e0ea52..398f428d0 100644
--- a/linuxkm/lkcapi_aes_glue.c
+++ b/linuxkm/lkcapi_aes_glue.c
@@ -19,6 +19,9 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+/* included by linuxkm/lkcapi_glue.c */
+#ifndef WC_SKIP_INCLUDED_C_FILES
+
 #ifndef LINUXKM_LKCAPI_REGISTER
     #error lkcapi_aes_glue.c included in non-LINUXKM_LKCAPI_REGISTER project.
 #endif
@@ -4312,3 +4315,5 @@ static int linuxkm_test_aesecb(void) {
 #endif /* LINUXKM_LKCAPI_REGISTER_AESECB */
 
 #endif /* LINUXKM_LKCAPI_REGISTER_AES */
+
+#endif /* !WC_SKIP_INCLUDED_C_FILES */
diff --git a/linuxkm/lkcapi_dh_glue.c b/linuxkm/lkcapi_dh_glue.c
index d8db8db12..69cfffe5a 100644
--- a/linuxkm/lkcapi_dh_glue.c
+++ b/linuxkm/lkcapi_dh_glue.c
@@ -20,6 +20,9 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+/* included by linuxkm/lkcapi_glue.c */
+#ifndef WC_SKIP_INCLUDED_C_FILES
+
 #ifndef LINUXKM_LKCAPI_REGISTER
     #error lkcapi_dh_glue.c included in non-LINUXKM_LKCAPI_REGISTER project.
 #endif
@@ -2966,3 +2969,5 @@ test_kpp_end:
 }
 
 #endif /* LINUXKM_LKCAPI_REGISTER_DH */
+
+#endif /* !WC_SKIP_INCLUDED_C_FILES */
diff --git a/linuxkm/lkcapi_ecdh_glue.c b/linuxkm/lkcapi_ecdh_glue.c
index 96d5ce8db..86231183d 100644
--- a/linuxkm/lkcapi_ecdh_glue.c
+++ b/linuxkm/lkcapi_ecdh_glue.c
@@ -20,6 +20,9 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+/* included by linuxkm/lkcapi_glue.c */
+#ifndef WC_SKIP_INCLUDED_C_FILES
+
 #ifndef LINUXKM_LKCAPI_REGISTER
     #error lkcapi_ecdh_glue.c included in non-LINUXKM_LKCAPI_REGISTER project.
 #endif
@@ -991,3 +994,5 @@ test_ecdh_nist_end:
 }
 
 #endif /* LINUXKM_LKCAPI_REGISTER_ECDH */
+
+#endif /* !WC_SKIP_INCLUDED_C_FILES */
diff --git a/linuxkm/lkcapi_ecdsa_glue.c b/linuxkm/lkcapi_ecdsa_glue.c
index f7e3cf67a..92d38dfd2 100644
--- a/linuxkm/lkcapi_ecdsa_glue.c
+++ b/linuxkm/lkcapi_ecdsa_glue.c
@@ -20,6 +20,9 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+/* included by linuxkm/lkcapi_glue.c */
+#ifndef WC_SKIP_INCLUDED_C_FILES
+
 #ifndef LINUXKM_LKCAPI_REGISTER
     #error lkcapi_ecdsa_glue.c included in non-LINUXKM_LKCAPI_REGISTER project.
 #endif
@@ -843,3 +846,5 @@ test_ecdsa_nist_end:
 }
 
 #endif /* LINUXKM_LKCAPI_REGISTER_ECDSA */
+
+#endif /* !WC_SKIP_INCLUDED_C_FILES */
diff --git a/linuxkm/lkcapi_glue.c b/linuxkm/lkcapi_glue.c
index b62b82a83..db34d95aa 100644
--- a/linuxkm/lkcapi_glue.c
+++ b/linuxkm/lkcapi_glue.c
@@ -21,6 +21,7 @@
  */
 
 /* included by linuxkm/module_hooks.c */
+#ifndef WC_SKIP_INCLUDED_C_FILES
 
 #ifndef LINUXKM_LKCAPI_REGISTER
     #error lkcapi_glue.c included in non-LINUXKM_LKCAPI_REGISTER project.
@@ -981,3 +982,5 @@ static int linuxkm_lkcapi_unregister(void)
 
     return seen_err;
 }
+
+#endif /* !WC_SKIP_INCLUDED_C_FILES */
diff --git a/linuxkm/lkcapi_rsa_glue.c b/linuxkm/lkcapi_rsa_glue.c
index 218d9eb37..0902af41f 100644
--- a/linuxkm/lkcapi_rsa_glue.c
+++ b/linuxkm/lkcapi_rsa_glue.c
@@ -20,6 +20,9 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+/* included by linuxkm/lkcapi_glue.c */
+#ifndef WC_SKIP_INCLUDED_C_FILES
+
 #ifndef LINUXKM_LKCAPI_REGISTER
     #error lkcapi_rsa_glue.c included in non-LINUXKM_LKCAPI_REGISTER project.
 #endif
@@ -3250,3 +3253,5 @@ static int get_hash_enc_len(int hash_oid)
     return enc_len;
 }
 #endif /* LINUXKM_LKCAPI_REGISTER_RSA */
+
+#endif /* !WC_SKIP_INCLUDED_C_FILES */
diff --git a/linuxkm/lkcapi_sha_glue.c b/linuxkm/lkcapi_sha_glue.c
index 584ebc3f3..196ade40f 100644
--- a/linuxkm/lkcapi_sha_glue.c
+++ b/linuxkm/lkcapi_sha_glue.c
@@ -19,6 +19,9 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
+/* included by linuxkm/lkcapi_glue.c */
+#ifndef WC_SKIP_INCLUDED_C_FILES
+
 #ifndef LINUXKM_LKCAPI_REGISTER
     #error lkcapi_sha_glue.c included in non-LINUXKM_LKCAPI_REGISTER project.
 #endif
@@ -374,10 +377,7 @@
         !defined(LINUXKM_LKCAPI_REGISTER_HASH_DRBG)
         #define LINUXKM_LKCAPI_REGISTER_HASH_DRBG
     #endif
-    #if (defined(LINUXKM_LKCAPI_REGISTER_ALL) && !defined(LINUXKM_LKCAPI_DONT_REGISTER_HASH_DRBG_DEFAULT)) && \
-        !defined(LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT)
-        #define LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT
-    #endif
+    /* setup for LINUXKM_LKCAPI_REGISTER_HASH_DRBG_DEFAULT is in linuxkm_wc_port.h */
 #else
     #undef LINUXKM_LKCAPI_REGISTER_HASH_DRBG
 #endif
@@ -968,7 +968,6 @@ struct wc_linuxkm_drbg_ctx {
     struct wc_rng_inst {
         wolfSSL_Atomic_Int lock;
         WC_RNG rng;
-        int disabled_vec_ops;
     } *rngs; /* one per CPU ID */
 };
 
@@ -1090,14 +1089,8 @@ static inline struct wc_rng_inst *get_drbg(struct crypto_rng *tfm) {
 
     for (;;) {
         int expected = 0;
-        if (likely(__atomic_compare_exchange_n(&ctx->rngs[n].lock, &expected, new_lock_value, 0, __ATOMIC_SEQ_CST, __ATOMIC_ACQUIRE))) {
-            struct wc_rng_inst *drbg = &ctx->rngs[n];
-            if (tfm == crypto_default_rng)
-                drbg->disabled_vec_ops = (DISABLE_VECTOR_REGISTERS() == 0);
-            else
-                drbg->disabled_vec_ops = 0;
-            return drbg;
-        }
+        if (likely(__atomic_compare_exchange_n(&ctx->rngs[n].lock, &expected, new_lock_value, 0, __ATOMIC_SEQ_CST, __ATOMIC_ACQUIRE)))
+            return &ctx->rngs[n];
         ++n;
         if (n >= (int)ctx->n_rngs)
             n = 0;
@@ -1115,11 +1108,8 @@ static inline struct wc_rng_inst *get_drbg_n(struct wc_linuxkm_drbg_ctx *ctx, in
 
     for (;;) {
         int expected = 0;
-        if (likely(__atomic_compare_exchange_n(&ctx->rngs[n].lock, &expected, 1, 0, __ATOMIC_SEQ_CST, __ATOMIC_ACQUIRE))) {
-            struct wc_rng_inst *drbg = &ctx->rngs[n];
-            drbg->disabled_vec_ops = 0;
-            return drbg;
-        }
+        if (likely(__atomic_compare_exchange_n(&ctx->rngs[n].lock, &expected, 1, 0, __ATOMIC_SEQ_CST, __ATOMIC_ACQUIRE)))
+            return &ctx->rngs[n];
         if (can_sleep) {
             if (signal_pending(current))
                 return NULL;
@@ -1137,10 +1127,6 @@ static inline void put_drbg(struct wc_rng_inst *drbg) {
         (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0))
     int migration_disabled = (drbg->lock == 2);
     #endif
-    if (drbg->disabled_vec_ops) {
-        REENABLE_VECTOR_REGISTERS();
-        drbg->disabled_vec_ops = 0;
-    }
     __atomic_store_n(&(drbg->lock),0,__ATOMIC_RELEASE);
     #if defined(CONFIG_SMP) && !defined(CONFIG_PREEMPT_COUNT) && \
         (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0))
@@ -1154,6 +1140,7 @@ static int wc_linuxkm_drbg_generate(struct crypto_rng *tfm,
                         u8 *dst, unsigned int dlen)
 {
     int ret, retried = 0;
+    int need_fpu_restore;
     struct wc_rng_inst *drbg = get_drbg(tfm);
 
     if (! drbg) {
@@ -1161,6 +1148,11 @@ static int wc_linuxkm_drbg_generate(struct crypto_rng *tfm,
         return -EFAULT;
     }
 
+    /* for the default RNG, make sure we don't cache an underlying SHA256
+     * method that uses vector insns (forbidden from irq handlers).
+     */
+    need_fpu_restore = (tfm == crypto_default_rng) ? (DISABLE_VECTOR_REGISTERS() == 0) : 0;
+
 retry:
 
     if (slen > 0) {
@@ -1194,6 +1186,8 @@ retry:
 
 out:
 
+    if (need_fpu_restore)
+        REENABLE_VECTOR_REGISTERS();
     put_drbg(drbg);
 
     return ret;
@@ -2054,3 +2048,5 @@ static int wc_linuxkm_drbg_cleanup(void) {
 }
 
 #endif /* LINUXKM_LKCAPI_REGISTER_HASH_DRBG */
+
+#endif /* !WC_SKIP_INCLUDED_C_FILES */
diff --git a/linuxkm/x86_vector_register_glue.c b/linuxkm/x86_vector_register_glue.c
index 5ec17acfd..f40357d70 100644
--- a/linuxkm/x86_vector_register_glue.c
+++ b/linuxkm/x86_vector_register_glue.c
@@ -21,6 +21,7 @@
  */
 
 /* included by linuxkm/module_hooks.c */
+#ifndef WC_SKIP_INCLUDED_C_FILES
 
 #if !defined(WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS) || !defined(CONFIG_X86)
     #error x86_vector_register_glue.c included in non-vectorized/non-x86 project.
@@ -346,6 +347,13 @@ WARN_UNUSED_RESULT int wc_save_vector_registers_x86(enum wc_svr_flags flags)
 
     /* allow for nested calls */
     if (pstate && (pstate->fpu_state != 0U)) {
+        if (pstate->fpu_state & WC_FPU_INHIBITED_FLAG) {
+            /* don't allow recursive inhibit calls when already inhibited --
+             * it would add no functionality and require keeping a separate
+             * count of inhibit recursions.
+             */
+            return WC_ACCEL_INHIBIT_E;
+        }
         if (unlikely((pstate->fpu_state & WC_FPU_COUNT_MASK)
                      == WC_FPU_COUNT_MASK))
         {
@@ -353,17 +361,6 @@ WARN_UNUSED_RESULT int wc_save_vector_registers_x86(enum wc_svr_flags flags)
                    "pid %d on CPU %d.\n", pstate->pid, raw_smp_processor_id());
             return BAD_STATE_E;
         }
-        if (pstate->fpu_state & WC_FPU_INHIBITED_FLAG) {
-            if (flags & WC_SVR_FLAG_INHIBIT) {
-                /* allow recursive inhibit calls as long as the whole stack of
-                 * them is inhibiting.
-                 */
-                ++pstate->fpu_state;
-                return 0;
-            }
-            else
-                return WC_ACCEL_INHIBIT_E;
-        }
         if (flags & WC_SVR_FLAG_INHIBIT) {
             ++pstate->fpu_state;
             pstate->fpu_state |= WC_FPU_INHIBITED_FLAG;
@@ -535,3 +532,5 @@ void wc_restore_vector_registers_x86(enum wc_svr_flags flags)
 
     return;
 }
+
+#endif /* !WC_SKIP_INCLUDED_C_FILES */
diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h
index dad2f64ff..4a5df0561 100644
--- a/wolfssl/wolfcrypt/error-crypt.h
+++ b/wolfssl/wolfcrypt/error-crypt.h
@@ -349,11 +349,12 @@ WOLFSSL_ABI WOLFSSL_API const char* wc_GetErrorString(int error);
         #endif
     #endif
     #ifndef WC_ERR_TRACE
-        #define WC_ERR_TRACE(label)                                \
-            ( WOLFSSL_DEBUG_PRINTF("ERR TRACE: %s L %d %s (%d)\n", \
-                      __FILE__, __LINE__, #label, label),          \
-              WOLFSSL_DEBUG_BACKTRACE_RENDER_CLAUSE,               \
-              label                                                \
+        #define WC_ERR_TRACE(label)                                   \
+            ( WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS \
+                                      "ERR TRACE: %s L %d %s (%d)\n", \
+                      __FILE__, __LINE__, #label, label),             \
+              WOLFSSL_DEBUG_BACKTRACE_RENDER_CLAUSE,                  \
+              label                                                   \
             )
     #endif
     #include <wolfssl/debug-trace-error-codes.h>