hello ncs1,
let’s have this topic for security things.
fuses are designed to be inaccessible for production.
the concept of Secureboot is to prevent execution of unauthorized code during boot process through chain-of-trust;
those authenticates boot components (such as, Boot Configuration Table, bootloader binaries, and warmboot vector) were signed using private key.
FYI,
PKC for sign: if PKC is burned, then the KEYFILE users provide is for signing the images.
SBK for encryption: if SBK is burned, then the SBKFILE users provide is for encrypting the images.
Any binaries loaded before CBoot are encrypted by SBK key; Any binaries loaded by CBoot are encrypted by user_key, the user_key is specified in eks.img. user_key is purely software, user can define it; 0 user_key means no encryption.
you may see-also forum discussion threads, such as Topic 157952, Topic 166401, and Topic 208426.
furthermore,
please also dig into Fuse Specification, it gives you detail descriptions for fuse variables.
thanks