Index: lib/Makefile
===================================================================
--- lib/Makefile
+++ lib/Makefile
@@ -28,6 +28,7 @@
 	libalias \
 	libarchive \
 	libauditd \
+	${_libbearssl} \
 	libbegemot \
 	libblocksruntime \
 	libbsdstat \
@@ -90,6 +91,8 @@
 	libugidfw \
 	libulog \
 	libutil \
+	${_libve} \
+	${_libveriexec} \
 	${_libvgl} \
 	libwrap \
 	libxo \
@@ -161,6 +164,14 @@
 _libclang_rt=	libclang_rt
 .endif
 
+.if ${MK_BEARSSL} != "no"
+_libbearssl=	libbearssl
+_libve=		libve
+.endif
+.if ${MK_VERIEXEC} != "no"
+_libveriexec=	libveriexec
+.endif
+
 .if ${MK_LIBCPLUSPLUS} != "no"
 _libcxxrt=	libcxxrt
 _libcplusplus=	libc++
Index: share/mk/src.libnames.mk
===================================================================
--- share/mk/src.libnames.mk
+++ share/mk/src.libnames.mk
@@ -208,6 +208,21 @@
 		osmvendor
 .endif
 
+.if ${MK_BEARSSL} == "yes"
+_INTERNALLIBS+= \
+		bearssl \
+		ve \
+
+LIBBEARSSL?=	${LIBBEARSSLDIR}/libbearssl.a
+LIBVE?=		${LIBVEDIR}/libve.a
+.endif
+
+.if ${MK_VERIEXEC} == "yes"
+_INTERNALLIBS+= veriexec
+
+LIBVERIEXEC?=	${LIBVERIEXECDIR}/libveriexec.a
+.endif
+
 # Each library's LIBADD needs to be duplicated here for static linkage of
 # 2nd+ order consumers.  Auto-generating this would be better.
 _DP_80211=	sbuf bsdxml
Index: share/mk/src.opts.mk
===================================================================
--- share/mk/src.opts.mk
+++ share/mk/src.opts.mk
@@ -189,6 +189,7 @@
     ZONEINFO
 
 __DEFAULT_NO_OPTIONS = \
+    BEARSSL \
     BSD_GREP \
     CLANG_EXTRAS \
     DTRACE_TESTS \
@@ -214,6 +215,8 @@
 __DEFAULT_DEPENDENT_OPTIONS= \
 	CLANG_FULL/CLANG \
 	LLVM_TARGET_ALL/CLANG \
+	LOADER_VERIEXEC/BEARSSL \
+	VERIEXEC/BEARSSL \
 
 # MK_*_SUPPORT options which default to "yes" unless their corresponding
 # MK_* variable is set to "no".
Index: tools/build/options/WITH_BEARSSL
===================================================================
--- /dev/null
+++ tools/build/options/WITH_BEARSSL
@@ -0,0 +1,14 @@
+.\" $FreeBSD$
+BearSSL is a tiny SSL library suitable for embedded environments.
+For details see
+http://www.BearSSL.org/
+.Pp
+This library is not yet part of FreeBSD, but
+libbearssl can be built by setting
+.Va BEARSSL
+to point to the top of the BearSSL checkout.
+.Pp
+This library is currently only used to perform
+signature verification and related operations
+for Verified Exec and
+.Xr loader 8 .
Index: tools/build/options/WITH_LOADER_VERIEXEC
===================================================================
--- /dev/null
+++ tools/build/options/WITH_LOADER_VERIEXEC
@@ -0,0 +1,7 @@
+.\" $FreeBSD$
+This option enables building
+.Xr loader 8
+with support for verifcation similar to Verified Exec.
+.Pp
+It depends on
+.Va WITH_BEARSSL
Index: tools/build/options/WITH_VERIEXEC
===================================================================
--- /dev/null
+++ tools/build/options/WITH_VERIEXEC
@@ -0,0 +1,9 @@
+.\" $FreeBSD$
+This option enables building
+.Xr veriexec 8
+which loads the contents of verified manifests into the kernel
+for use by
+.Xr mac_veriexec 4
+.Pp
+It depends on
+.Va WITH_BEARSSL