3 files changed, 17 insertions, 1 deletions

diff --git a/src/usr/pnor/pnor_utils.C b/src/usr/pnor/pnor_utils.C
index 5a8d39065..979b1cb1f 100644
--- a/src/usr/pnor/pnor_utils.C
+++ b/src/usr/pnor/pnor_utils.C
@@ -360,7 +360,8 @@ bool PNOR::isEnforcedSecureSection(const uint32_t i_section)
     #ifdef BOOTLOADER
         return i_section == HB_BASE_CODE;
     #else
-        return i_section == HB_EXT_CODE ||
+        return i_section == HB_BOOTLOADER ||
+               i_section == HB_EXT_CODE ||
                i_section == HB_DATA ||
                i_section == SBE_IPL ||
                i_section == CENTAUR_SBE ||
diff --git a/src/usr/sbe/sbe_update.C b/src/usr/sbe/sbe_update.C
index 86869bff9..8d045a85b 100644
--- a/src/usr/sbe/sbe_update.C
+++ b/src/usr/sbe/sbe_update.C
@@ -1846,6 +1846,7 @@ namespace SBE
             }
             const void* hbblPnorPtr = reinterpret_cast<const void*>(
                                                                 pnorInfo.vaddr);
+
             // Use max hbbl size and not the PNOR size. The PNOR size can grow
             // to add a secure header, but the code size limit is still 20K.
             TRACFCOMP( g_trac_sbe, "getSbeInfoState() - "
@@ -3709,6 +3710,12 @@ namespace SBE
                 break;
             }
 
+            err = loadSecureSection(PNOR::HB_BOOTLOADER);
+            if(err)
+            {
+                TRACFCOMP( g_trac_sbe, ERR_MRK,"createSbeImageVmmSpace() - Error from loadSecureSection(PNOR::HB_BOOTLOADER)");
+                break;
+            }
 #endif
 
         }while(0);
@@ -3813,6 +3820,13 @@ namespace SBE
                 TRACFCOMP( g_trac_sbe, ERR_MRK"cleanupSbeImageVmmSpace() - Error from unloadSecureSection(PNOR::SBE_IPL)");
                 break;
             }
+
+            err = unloadSecureSection(PNOR::HB_BOOTLOADER);
+            if (err)
+            {
+                TRACFCOMP( g_trac_sbe, ERR_MRK,"cleanupSbeImageVmmSpace() - Error from unloadSecureSection(PNOR::HB_BOOTLOADER)");
+                break;
+            }
 #endif
 
         }while(0);
diff --git a/src/usr/secureboot/base/securerommgr.C b/src/usr/secureboot/base/securerommgr.C
index 264f6a411..b51127820 100644
--- a/src/usr/secureboot/base/securerommgr.C
+++ b/src/usr/secureboot/base/securerommgr.C
@@ -264,6 +264,7 @@ errlHndl_t SecureRomManager::verifyContainer(void * i_container,
         // struct elements my_ecid, entry_point and log
         memset(&l_hw_parms, 0, sizeof(ROM_hw_params));
 
+        // Now set hw_key_hash, which is of type sha2_hash_t, to iv_key_hash
         if (i_hwKeyHash == nullptr)
         {
             // Use current hw hash key