It is unclear at this time which Samsung devices can be secured because Knox requires specific on-chip read-only-memory (ROM) hardware. Using well-understood cryptography techniques, trusted onboard code verifies the very first operating system component that does not reside in ROM called the boot loader. Using public key encryption, each operating system component is verified against its signature, created with a secure hash algorithm (SHA) until all Android components are loaded and operational. To convert this known runtime environment into a “trusted” runtime environment, Samsung turned to its partner General Dynamics, which said the technology integrated with Samsung is "trusted to protect information classified from the Secret level and below."
Link to Original Source