diff options
| author | Craig Jennings <c@cjennings.net> | 2026-05-22 20:58:01 -0500 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-05-22 20:58:01 -0500 |
| commit | 3165c50fed266fef0b388190296c149c0ae0ee47 (patch) | |
| tree | 6510ae19315f55eec78f0c618dbd737672b097f6 /scripts | |
| parent | bed054f46e3b41aae0d599ed7fbc3e1e42d6ddd7 (diff) | |
| download | archangel-3165c50fed266fef0b388190296c149c0ae0ee47.tar.gz archangel-3165c50fed266fef0b388190296c149c0ae0ee47.zip | |
fix(test): run the ZFS-encryption check on the booted system
The ZFS native-encryption assertion lived in verify_install, which runs in the live ISO before reboot. But archangel exports zroot at the end of the install, so verify_install bails at "ZFS pool not found" and never reaches the check. It was dead code: the encrypted-config tests passed on the reboot path (entering the passphrase at ZFSBootMenu and booting is itself proof), while the explicit aes-256-gcm assertion gave false confidence by never running.
I moved it into verify_reboot_survival, which ssh's into the booted system where zroot is imported, so zfs get encryption zroot/ROOT actually returns aes-256-gcm and the assertion fires. Confirmed on a zfs-encrypt VM run: "ZFS encryption (aes-256-gcm) verified on running system."
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/test-install.sh | 28 |
1 files changed, 16 insertions, 12 deletions
diff --git a/scripts/test-install.sh b/scripts/test-install.sh index 8d338b6..0bc4e9a 100755 --- a/scripts/test-install.sh +++ b/scripts/test-install.sh @@ -546,18 +546,6 @@ verify_install() { else warn "ZFS genesis snapshot not found" fi - - # Check ZFS native encryption if configured - local zfs_pass - zfs_pass=$(grep '^ZFS_PASSPHRASE=' "$config" | cut -d= -f2) - if [[ -n "$zfs_pass" ]]; then - if ssh_cmd "zfs get -H -o value encryption zroot/ROOT" | grep -q "aes-256-gcm"; then - info "ZFS encryption (aes-256-gcm) verified" - else - error "ZFS encryption not set on zroot/ROOT" - return 1 - fi - fi elif [[ "$filesystem" == "btrfs" ]]; then # Btrfs-specific checks if ssh_cmd "btrfs subvolume list /mnt" >/dev/null 2>&1; then @@ -622,6 +610,22 @@ verify_reboot_survival() { error "ZFS pool not available after reboot" return 1 fi + + # ZFS native encryption: on an encrypted config, confirm zroot/ROOT + # actually carries aes-256-gcm on the running system. The boot + # already required the passphrase, but assert the property + # explicitly. verify_install can't check this — the pool is exported + # by the time it runs, before reboot. + local zfs_pass + zfs_pass=$(grep '^ZFS_PASSPHRASE=' "$config" | cut -d= -f2) + if [[ -n "$zfs_pass" ]]; then + if ssh_cmd "zfs get -H -o value encryption zroot/ROOT" | grep -q "aes-256-gcm"; then + info "ZFS encryption (aes-256-gcm) verified on running system" + else + error "ZFS root not encrypted with aes-256-gcm after reboot" + return 1 + fi + fi elif [[ "$filesystem" == "btrfs" ]]; then if ssh_cmd "btrfs filesystem show / >/dev/null 2>&1"; then info "Btrfs filesystem healthy after reboot" |