Document a kernel command line security requirement.

If we add a kernel command line parameter (commonly done in
modify_kernel_command_line() of a board specific script),
the commit queue accepts the change, but the canary build cab break when
the signer test detects an unfamiliar (and possibly insecure) parameter.

TEST=none, inline comment only

Change-Id: I7ea25b73a791a24af7739d7cc5860cd168c964a4
Tested-by: Bryan Freed <>
Reviewed-by: Mike Frysinger <>
Commit-Queue: Bryan Freed <>
diff --git a/ b/
index ff43262..5b52039 100755
--- a/
+++ b/
@@ -100,6 +100,13 @@
 # Munge the kernel command line.
 # Intended to be overridden by boards that wish to add to the command line.
 # $1 - Configuration file containing boot args.
+# All kernel command line changes must update the security base lines in
+# the signer.  It rejects any settings it does not recognize and breaks the
+# build.  So any modify_kernel_command_line() function change here or in a
+# board specific needs to be reflected in
+# ensure_secure_kernelparams.config.
+# See as an example.
 modify_kernel_command_line() {