Thank you for your pointers and I had read and watched all that already. These features describe how authenticated boot is done, but that is not what we are after with the Trusted Computing Group DICE functionality. We are looking to do measured boot, to create an attestation record what booted. For that purpose we need a device secret that can only be read by the very first binary and is then made inaccessible to protect the root of trust for identity/measurement.
I am looking what kind of access protections exist around the fuse keys, if any. From the documentation I see that the first binary may be encrypted for example. That is great functionality because we can embed the device identity in that first binary and encrypt it against unauthorized access. But the question remains: Other than the boot ROM code who can get access to the decryption key for that first binary? If the answer is: Access is limited to the ROM code than that is perfect and will do for us.
However if for example Trust Zone code could also get access to that key and be able to decrypt the first mutable binary then that would potentially expose that high integrity boot secret to a lower integrity execution context. Do you have any documentation that describes in detail what happens in the boot ROM - for example how the fuse keys are used to decrypt the first mutable binary?