I think that it should be (made) possible to use NSS's hashing and HMAC functions during startup, before opening the NSS key and cert DBs. This is part of our overall goal of eliminating File I/O during startup whenever possible, for performance reasons.
Now that you can open NSS databases later, We could experiment with using NSS_NoDBInit() and then using NSS_OpenUserDB to later open our db's and slots. To do this right, we would probably want to remember FIPS preferences in firefox because you wouldn't want to do this in FIPS mode and you won't know until you open the database. There may have to be additional NSS changes to make that all work. bob