This feature depends on an external library: BearSSL
There are two new libraries libbearssl and libve
both of which can be consumed into libsa for the loader
or built as normal libraries.
I needed to add -O1 to stand/defs.mk else the loader was too big
lib/libve/local.trust.mk should be considered an example.