signer: run kernel security test of kernel partition 4 instead of partition 2

The test is run on a recovery image by the signer. We care more about the
parameters on the kernel partition 4 (the SSD install kernel) than 2.

It'd be nice to have security test on the recovery kernel too and I have
marked that as a TODO for now.

BUG=chromium-os:24077
TEST=tested on a R17 and R18 mario, alex and zgb image.

Reviewed-on: https://gerrit.chromium.org/gerrit/12970
Reviewed-by: Jim Hebert <jimhebert@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>

(cherry picked from commit e5d31dce377ad34e2a165e6e5d98f819b20c212d)

Change-Id: I937dd3c38aef307ca1d80c9d85fb647fe40512ab
Reviewed-on: https://gerrit.chromium.org/gerrit/13726
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Tested-by: Stefan Reinauer <reinauer@chromium.org>

1 files changed, 5 insertions, 1 deletions

diff --git a/scripts/image_signing/ensure_secure_kernelparams.sh b/scripts/image_signing/ensure_secure_kernelparams.sh
index 0fa116ee..52a3ce99 100755
--- a/scripts/image_signing/ensure_secure_kernelparams.sh
+++ b/scripts/image_signing/ensure_secure_kernelparams.sh
@@ -76,7 +76,11 @@ main() {
     . "$configfile"
 
     local kernelblob=$(make_temp_file)
-    extract_image_partition "$image" 2 "$kernelblob"
+    # TODO(jimhebert): Perform the kernel security tests on both the kernel
+    #                  partitions. Here, we just run it on kernel partition 4
+    #                  which is the install kernel on the recovery image.
+    #                  crosbug.com/24274
+    extract_image_partition "$image" 4 "$kernelblob"
     local rootfs=$(make_temp_dir)
     mount_image_partition_ro "$image" 3 "$rootfs"