Firmware is signed by the developer using a private key. The SoC's secure boot firmware uses a corresponding public key (stored in HRoT or secure boot firmware) to verify signature during boot.