Add script to validate kernel params before we sign images

scripts/image_signing/ensure_secure_kernelparams.config

Index: scripts/image_signing/ensure_secure_kernelparams.config
diff --git a/scripts/image_signing/ensure_secure_kernelparams.config b/scripts/image_signing/ensure_secure_kernelparams.config
new file mode 100755
index 0000000000000000000000000000000000000000..bf2582bacfa68157c369a2dac1e1d79bee81338e
--- /dev/null
+++ b/scripts/image_signing/ensure_secure_kernelparams.config
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+#
+# COMMON
+#
+required_kparams_common=( quiet console=tty2 init=/sbin/init add_efi_memmap
+                          boot=local rootwait ro noresume noswap i915.modeset=1
+                          loglevel=1 cros_secure kern_guid=%U tpm_tis.force=1
+                          tpm_tis.interrupts=0 root=/dev/dm-0
+                          dm_verity.error_behavior=3 dm_verity.max_bios=-1
+                          dm_verity.dev_wait=1 noinitrd )
+
+optional_kparams_common=( )
+
+# use "MAGIC_HASH" in place of the unpredictable sha1 hash, comparison
+# functions later take care of the rest.... This set of dmparams
+# taken from observation of current builds. In particular we may see
+# the size of the filesystem creep over time. That size is denoted by
+# the large number that appears a couple times in this string.
+required_dmparams_common="vroot none ro,0 1740800 verity /dev/sd%D%P \
+/dev/sd%D%P 1740800 1 sha1 MAGIC_HASH"
+
+
+#
+# x86-mario
+#
+required_kparams_x86_mario=( ${required_kparams_common[@]} )
+optional_kparams_x86_mario=( ${optional_kparams_common[@]} )
+required_dmparams_x86_mario="$required_dmparams_common"
+
+#
+# x86-agz
+#
+required_kparams_x86_agz=( ${required_kparams_common[@]} )
+optional_kparams_x86_agz=( ${optional_kparams_common[@]} )
+required_dmparams_x86_agz="$required_dmparams_common"