I havent checked the actual standard doc for exact explanation - I just assume our kernel module [sha2.c] (and libgcrypt for that matter) have implemented it according to standards;) and yes, without this byteswap indeed we get resulting bytes in resulting octlets in reverse order and therefore the checksum match will obviously fail - I actually did double-check this while I was developing the initial fix in loader project and while implementing this bugfix for grub.

Matt: this is because the GRUB implementation of SHA2 is somewhat simplified and didn't use to do stuff 100% by the book (before this fix). So while calculating, SHA-512 keeps state in eight 64-bit registers labeled H[0] through H[7]. SHA-2 allows little-endian platforms to perform the actual transform arithmetic in native byte order to preserve speed, but for the final product to be consistent with the standard, little-endian hardware then needs to byte-swap output. This wasn't done in GRUB and instead I incorrectly used the little-endian state. If you have a look at Encode64 in usr/src/common/crypto/sha2/sha2.c (which is used during the final output phase in the regular in-kernel SHA2Final()), it byteswaps on little endian hardware.