/boot: make sure operations requiring to be happening under /boot are under subshells

initrd/bin/kexec-save-default

@@ -122,7 +122,7 @@ if [ ! -d $paramsdir ]; then
 fi
 rm $paramsdir/kexec_default.*.txt 2>/dev/null || true
 echo "$entry" > $ENTRY_FILE
-cd $bootdir && kexec-boot -b "$bootdir" -e "$entry" -f | \
+kexec-boot -b "$bootdir" -e "$entry" -f | \
 	xargs sha256sum > $HASH_FILE \
 || die "Failed to create hashes of boot files"
 if [ ! -r $ENTRY_FILE -o ! -r $HASH_FILE ]; then

initrd/bin/kexec-select-boot

@@ -52,7 +52,7 @@ verify_global_hashes()
 {
 	echo "+++ Checking verified boot hash file "
 	# Check the hashes of all the files
-	if cd $bootdir && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ; then
+	if ( cd $bootdir && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ); then
 		echo "+++ Verified boot hashes "
 		valid_hash='y'
 		valid_global_hash='y'
@@ -236,7 +236,7 @@ default_select() {
 	# Enforce that default option hashes are valid
 	echo "+++ Checking verified default boot hash file "
 	# Check the hashes of all the files
-	if cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" > /tmp/hash_output ; then
+	if ( cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" > /tmp/hash_output ); then
 		echo "+++ Verified default boot hashes "
 		valid_hash='y'
 	else

initrd/bin/oem-factory-reset

@@ -322,9 +322,8 @@ report_integrity_measurements()
         check_config /boot force
         TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
 
-        if cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ; then
+	if ( cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ); then
             HASH="OK"
-            cd /
             else
                 HASH="ALTERED"
         fi