There are dedicated bits in eFUSEs that correspond to the S-HWRoT boot mode. If any one of these bits are set, the S-HWRoT boot mode forces the device to only boot images that have the PLM and MetaHeader encrypted using a black (encrypted) eFUSE key. Encryption of partitions beyond the PLM and MetaHeader is defined by the MetaHeader which is authenticated using AES-GCM.