yes, see:

https://www.illumos.org/issues/5886

https://www.illumos.org/issues/5887

https://us-east.manta.joyent.com/rmustacc/public/webrevs/5886/index.html (see dboot_startkern.c)
the bootfs update also has update to verify the module hashes. As the 5886/5887 are in process to be reviewd, I did address this request to be  request for comments in dev list - once bootfs will progress and people think this change is way to go, I'll file an RFE.

Actually, verifying the hash is already present for the boot archive. That was integrated in https://www.illumos.org/issues/3364.

How would I go about using that functionality?

with current kernel and grub, it should be enough to add following line to specific menu entry, after boot_archive itself:

module$ /platform/i86pc/$ISADIR/boot_archive.hash
however, to actually see if the hash was checked, you need to add -B prom_debug=1 to kernel options, also it will help if you can direct console to serial port and capture - prom_debug will spit out a lot of data.
a bit indirect way us to edit hash file and change hash value - if the hash is checked and it fails, you will get panic. with this strategy, the panic with bad hash will tell you that hash check indeed was performed.

reworked to use asprintf() instead. if path is getting too long, fopen() will fail and error will be set.

removed it; was carried over from digest source, but bootadm is run by admin, so this message is not needed.

yes, carried over from digest command...

Right, this is oversighted leftover from digest. Since digest is processing multiple files, that code had to complete disgest update step. Since bootadm does not digest multiple files in same PKI session, we can return at once and close the session. Thanks for spotting this issue:)