It's not matter of firmware vs. software it is a matter of execution of authorized code. How does it happen? Read about Trustable Execution Environment (TEE). There can be different implementations with using same CPU or not. If you'll read about ARM Trust Zone it will give you top level explanation how CPU supports this mode. Basically security is started from signed boot loader, loading Secure OS, setting memory protection zones. Later under supervision of Secure OS only authorized Trusted Applications will be loaded by Secure OS, and executed in protected zone where Host OS has no access, except communication channels using a shared memory.

It's not matter of firmware vs. software it is a matter of execution of authorized code. How does it happen? Read about Trustable Execution Environment (TEE). There can be different implementations with using same CPU or not. If you'll read about ARM Trust Zone it will give you top level explanation how CPU supports this mode. Basically security is started from signed boot loader, loading Secure OS, setting memory protection zones. Later under supervision of Secure OS only authorized Trusted Applications will be loaded by Secure OS, and executed in protected zone where Host OS has no access, except communication channels using a shared memory.

Those who want to know more about Trusted Executable Environment, at first I would recommend you read here.

https://www.op-tee.org/category/blog/
start with https://www.op-tee.org/blog/hkg15-311-op-tee-beginners-porting-review/ another source to read https://www.arm.com/products/security-on-arm/trustzone

May be I'll add more links later.