hello ellen1474713,
SecureBoot
if you program the fuses, (i.e. PKC, SBK, KEKs…), fuses are designed to be inaccessible for production.
the concept of Secureboot is to prevent execution of unauthorized code during boot process through chain-of-trust;
those authenticates boot components (such as, Boot Configuration Table, bootloader binaries, and warmboot vector) were signed using private key.
SecureOS
since SecureBoot is to ensure boot process is secure. Trust Zone is SecureOS afterwards.
that’s the trusted executed environment (TEE) where trusted application is running at to gain access security assets securely. It won’t decrypt encrypted boot code as it already passes boot stage but it does allow your apps to access secure assets. For instance, secure storage is one example. Encrypted video content is another example. This is a run-time environment where your application is running at.
please refer to developer guide, Security, you may check each session for detail information.
thanks