Yes. The hash of the application code and the 256 bit Unique Device Secret is hashed to generate a primary secret, which then the application can use to derive the secrets it needs.
You can additionally supply a secret from the host (the User Supplied Secret). This means that the keys generated are tied to the specific device (the UDS), that the integrity of the application is correct, and to you as a user.
You can additionally supply a secret from the host (the User Supplied Secret). This means that the keys generated are tied to the specific device (the UDS), that the integrity of the application is correct, and to you as a user.