build_kernel_image: add warning for kernel parameters w.r.t. signing

BUG=None
TEST=Comment Only

Change-Id: I03fd7e875686c2f3ce78919d5f893cb2ecb10525
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosutils/+/2541322
Tested-by: George Engelbrecht <engeg@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Commit-Queue: George Engelbrecht <engeg@google.com>
diff --git a/build_kernel_image.sh b/build_kernel_image.sh
index 364524f..8e3b134 100755
--- a/build_kernel_image.sh
+++ b/build_kernel_image.sh
@@ -6,6 +6,12 @@
 
 # Helper script that generates the signed kernel image
 
+# All kernel command line changes must update the security base lines in
+# the signer.  It rejects any settings it does not recognize and breaks the
+# build. So any kernel parameter changes that are made here needs to be
+# reflected in ensure_secure_kernelparams.config and deployed to production
+# signing before landed here.
+
 SCRIPT_ROOT=$(dirname $(readlink -f "$0"))
 . "${SCRIPT_ROOT}/common.sh" || exit 1