Always Lock Down SBE SEEPROM After SBE Update

Always force the SUL to be on, regardless of the status of
security on the system. This will lock down the SBE SEEPROM
and prevent writes to it. Do the setting of SUL after istep 10.2
after SBE is updated.

Change-Id: If18986d709a44c8848ff31486bc1154759359c4c
Reviewed-on: http://ralgit01.raleigh.ibm.com/gerrit1/56822
Tested-by: Jenkins Server <pfd-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP Build CI <op-jenkins+hostboot@us.ibm.com>
Tested-by: Jenkins OP HW <op-hw-jenkins+hostboot@us.ibm.com>
Tested-by: FSP CI Jenkins <fsp-CI-jenkins+hostboot@us.ibm.com>
Reviewed-by: Nicholas E. Bofferding <bofferdn@us.ibm.com>
Reviewed-by: Michael Baiocchi <mbaiocch@us.ibm.com>
Reviewed-by: Daniel M. Crowell <dcrowell@us.ibm.com>

1 files changed, 4 insertions, 5 deletions

diff --git a/src/usr/isteps/istep10/call_proc_cen_ref_clk_enable.C b/src/usr/isteps/istep10/call_proc_cen_ref_clk_enable.C
index bac5d950b..6aba97bc5 100644
--- a/src/usr/isteps/istep10/call_proc_cen_ref_clk_enable.C
+++ b/src/usr/isteps/istep10/call_proc_cen_ref_clk_enable.C
@@ -329,10 +329,8 @@ void validateSecuritySettings()
         ERRORLOG::errlCommit( err, SECURE_COMP_ID );
     }
 
-    // Start of update procedure
-    #ifdef CONFIG_SECUREBOOT
-
-    bool l_force = false;
+    // Always lock SBE SEEPROM
+    bool l_force = true;
 
     TARGETING::TargetHandleList l_procList;
     getAllChips(l_procList,TARGETING::TYPE_PROC,true);
@@ -383,7 +381,7 @@ void validateSecuritySettings()
 
         const fapi2::Target<fapi2::TARGET_TYPE_PROC_CHIP> l_fapiTarg(*pProcItr);
 
-        FAPI_INVOKE_HWP(err, p9_update_security_ctrl, l_fapiTarg);
+        FAPI_INVOKE_HWP(err, p9_update_security_ctrl, l_fapiTarg, l_force);
 
         if (err)
         {
@@ -459,6 +457,7 @@ void validateSecuritySettings()
     } while(0);
     // end of p9_update_security_ctrl procedure
 
+    #ifdef CONFIG_SECUREBOOT
     // Enforce Synchronized Proc Security State
     do {