It is primarly used in loader to verify kernel and its modules. Since making the OpenSSL work in loader proved to be problematic, it uses BearSSL instead. It is planned to use it to verify modules in kldload.
Unit Tests Skipped
(sorry don't know how else to contact you ;-)
I'm thinking this should be merged with libve so we can work to a single API that loader calls to verify stuff.
The functionality you have is I think a subset of that in libve.
The name libve is far from ideal.
Do you have any objection to renaming it to libsecureboot as a first step?