diff --git a/modules/services/ssh-agent.nix b/modules/services/ssh-agent.nix
index b3f7ccf77..7fda6c7f3 100644
--- a/modules/services/ssh-agent.nix
+++ b/modules/services/ssh-agent.nix
@@ -37,6 +37,17 @@ in
       '';
     };
 
+    pkcs11Whitelist = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      example = lib.literalExpression ''[ "''${pkgs.tpm2-pkcs11}/lib/*" ]'';
+      description = ''
+        Specify a list of approved path patterns for PKCS#11 and FIDO authenticator middleware libraries. When using the -s or -S options with {manpage}`ssh-add(1)`, only libraries matching these patterns will be accepted.
+
+        See {manpage}`ssh-agent(1)`.
+      '';
+    };
+
     enableBashIntegration = lib.hm.shell.mkBashIntegrationOption { inherit config; };
 
     enableZshIntegration = lib.hm.shell.mkZshIntegrationOption { inherit config; };
@@ -101,6 +112,10 @@ in
         lib.optionalString (
           cfg.defaultMaximumIdentityLifetime != null
         ) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
+      }${
+        lib.optionalString (
+          cfg.pkcs11Whitelist != [ ]
+        ) " -P '${lib.concatStringsSep "," cfg.pkcs11Whitelist}'"
       }";
     };
 
@@ -114,6 +129,10 @@ in
             lib.optionalString (
               cfg.defaultMaximumIdentityLifetime != null
             ) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
+          }${
+            lib.optionalString (
+              cfg.pkcs11Whitelist != [ ]
+            ) " -P '${lib.concatStringsSep "," cfg.pkcs11Whitelist}'"
           }''
         ];
         KeepAlive = {
@@ -124,7 +143,5 @@ in
         RunAtLoad = true;
       };
     };
-
   };
-
 }
diff --git a/tests/modules/services/ssh-agent/darwin/default.nix b/tests/modules/services/ssh-agent/darwin/default.nix
index 310b0ae59..81d35a23a 100644
--- a/tests/modules/services/ssh-agent/darwin/default.nix
+++ b/tests/modules/services/ssh-agent/darwin/default.nix
@@ -1,6 +1,7 @@
 {
   ssh-agent-darwin-basic-service = ./basic-service.nix;
   ssh-agent-darwin-timeout-service = ./timeout-service.nix;
+  ssh-agent-darwin-pkcs11-service = ./pkcs11-service.nix;
   ssh-agent-darwin-bash-integration = ./bash-integration.nix;
   ssh-agent-darwin-nushell-integration = ./nushell-integration.nix;
 }
diff --git a/tests/modules/services/ssh-agent/darwin/pkcs11-service-expected.plist b/tests/modules/services/ssh-agent/darwin/pkcs11-service-expected.plist
new file mode 100644
index 000000000..d6b5d8fb8
--- /dev/null
+++ b/tests/modules/services/ssh-agent/darwin/pkcs11-service-expected.plist
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>KeepAlive</key>
+	<dict>
+		<key>Crashed</key>
+		<true/>
+		<key>SuccessfulExit</key>
+		<false/>
+	</dict>
+	<key>Label</key>
+	<string>org.nix-community.home.ssh-agent</string>
+	<key>ProcessType</key>
+	<string>Background</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>@bash-interactive@/bin/bash</string>
+		<string>-c</string>
+		<string>@openssh@/bin/ssh-agent -D -a &quot;$(@getconf-system_cmds@/bin/getconf DARWIN_USER_TEMP_DIR)/ssh-agent&quot; -P &apos;/usr/lib/libpkcs11.so,/usr/lib/other.so&apos;</string>
+	</array>
+	<key>RunAtLoad</key>
+	<true/>
+</dict>
+</plist>
\ No newline at end of file
diff --git a/tests/modules/services/ssh-agent/darwin/pkcs11-service.nix b/tests/modules/services/ssh-agent/darwin/pkcs11-service.nix
new file mode 100644
index 000000000..ecfbfff8f
--- /dev/null
+++ b/tests/modules/services/ssh-agent/darwin/pkcs11-service.nix
@@ -0,0 +1,21 @@
+{
+  config,
+  ...
+}:
+
+{
+  services.ssh-agent = {
+    enable = true;
+    pkcs11Whitelist = [
+      "/usr/lib/libpkcs11.so"
+      "/usr/lib/other.so"
+    ];
+    package = config.lib.test.mkStubPackage { outPath = "@openssh@"; };
+  };
+
+  nmt.script = ''
+    assertFileContent \
+      LaunchAgents/org.nix-community.home.ssh-agent.plist \
+      ${./pkcs11-service-expected.plist}
+  '';
+}
diff --git a/tests/modules/services/ssh-agent/linux/default.nix b/tests/modules/services/ssh-agent/linux/default.nix
index a8aff2878..1fc5fd4ff 100644
--- a/tests/modules/services/ssh-agent/linux/default.nix
+++ b/tests/modules/services/ssh-agent/linux/default.nix
@@ -1,4 +1,5 @@
 {
   ssh-agent-basic-service = ./basic-service.nix;
   ssh-agent-timeout-service = ./timeout-service.nix;
+  ssh-agent-pkcs11-service = ./pkcs11-service.nix;
 }
diff --git a/tests/modules/services/ssh-agent/linux/pkcs11-service-expected.service b/tests/modules/services/ssh-agent/linux/pkcs11-service-expected.service
new file mode 100644
index 000000000..543d1d600
--- /dev/null
+++ b/tests/modules/services/ssh-agent/linux/pkcs11-service-expected.service
@@ -0,0 +1,9 @@
+[Install]
+WantedBy=default.target
+
+[Service]
+ExecStart=@openssh@/bin/ssh-agent -D -a %t/ssh-agent -P '/nix/store/*/lib,/usr/lib/libpkcs11.so,/usr/lib/other.so'
+
+[Unit]
+Description=SSH authentication agent
+Documentation=man:ssh-agent(1)
diff --git a/tests/modules/services/ssh-agent/linux/pkcs11-service.nix b/tests/modules/services/ssh-agent/linux/pkcs11-service.nix
new file mode 100644
index 000000000..179c115a0
--- /dev/null
+++ b/tests/modules/services/ssh-agent/linux/pkcs11-service.nix
@@ -0,0 +1,16 @@
+{
+  services.ssh-agent = {
+    enable = true;
+    pkcs11Whitelist = [
+      "/nix/store/*/lib"
+      "/usr/lib/libpkcs11.so"
+      "/usr/lib/other.so"
+    ];
+  };
+
+  nmt.script = ''
+    assertFileContent \
+      home-files/.config/systemd/user/ssh-agent.service \
+      ${./pkcs11-service-expected.service}
+  '';
+}