I have one more question about this subject. At the end I use fuse prog to save SRK hash values in OTP and all is working as supposed, with no hab events.
After that I also use encryption and again all is working fine and properly.
The last step was also sign the kernel image with CSF tool, and again also this part was easy and the check returns no hab events found, but now I'm asking if i can also encrypt kernel image using the CSF tools. (this is not specified anywhere)