OK, so I managed to get hold of another 3560X running 12.2(55)SE software with bootloader 12.2(53r)SE1. This is an even older hardware version (Version ID: V01). I upgraded it to 15.0(2)SE1 and the bootloader didn't upgrade. The output on the console during boot simply says:
...done Initializing flashfs. Checking for Bootloader upgrade.. Boot Loader upgrade not required (Stage 2)
However if you add a fips authorization key and reload it the bootloader does get upgraded:
Checking for Bootloader upgrade..New version = Version 15.0(2.1.15)SE1 Fri Ja, Current version = Version 12.2(53r)SE1, RELEASE Upgrading Boot Loader... Completed processing ucode0 Completed processing bstage: Completed processing brom: Completed processing bsdcs: writing boot sectors.. Boot Upgrade image auto-rebooting ... Burning parameters into flash parameter block: MAC address: C4:71:00:00:00:00 Motherboard assembly number: 73-12557-04 Motherboard serial number: FDXXXXXXXXX Model revision number: A0 Motherboard revision number: A0 Model number: WS-C3560X-48P-L System serial number: FDXXXXXXXXX Daughterboard assembly number: 800-32786-01 Daughterboard serial number: FDXXXXXXXXX Top assembly part number: 800-31328-01 Top assembly revision number: A0 Version ID: V01 CLEI Code Number: COMJP00ARA Board configuration revision number: 0 Reading parameter block...done. Editing copy...done. Writing parameter block...done. Parameters burned into parameter block. done. The system will now restart
So the bootloader is now version 15.0(2.1.15)SE1. I then proceeded to upgrade to some later versions to see whether the bootloader would get upgraded to something later (I am aiming for 15.2(3r)E or later). So far it hasn't. I tried 15.2(1)E1, 15.2(3)E3 and I have just upgraded to the latest 15.2(4)E9. The same message is displayed on the console saying the bootloader doesn't need upgrading.
...done Initializing flashfs. Checking for Bootloader upgrade..New version = Version 15.0(2.1.15)SE1 Mon Se, Current version = Version 15.0(2.1.15)SE1, TEST Boot Loader upgrade not needed(v)
Still somewhat confused over this tbh...
Just added the 'fips authorization-key xxxxx' to the original 3560X I was playing with that is running 15.2(4)E9 but with the 12.2(53r)SE1 bootloader. The bootloader gets upgraded but only to 15.0(2.1.15)SE1:
Checking for Bootloader upgrade..New version = Version 15.0(2.1.15)SE1 Fri Ja, Current version = Version 12.2(53r)SE1, RELEASE Upgrading Boot Loader...
So I think older hardware versions never originally supported FIPS so when this came about Cisco had to provide an update to the bootloader that verified the IOS image as part of the FIPS accreditation. Newer hardware versions I suspect already have this functionality built-in to the bootloader (anything after 15.0 I guess?).
If I come across any other 3560x or 3750x's that are newer hardware versions I might see what happens when you add the fips command.