From 3165c50fed266fef0b388190296c149c0ae0ee47 Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Fri, 22 May 2026 20:58:01 -0500
Subject: fix(test): run the ZFS-encryption check on the booted system

The ZFS native-encryption assertion lived in verify_install, which runs in the live ISO before reboot. But archangel exports zroot at the end of the install, so verify_install bails at "ZFS pool not found" and never reaches the check. It was dead code: the encrypted-config tests passed on the reboot path (entering the passphrase at ZFSBootMenu and booting is itself proof), while the explicit aes-256-gcm assertion gave false confidence by never running.

I moved it into verify_reboot_survival, which ssh's into the booted system where zroot is imported, so zfs get encryption zroot/ROOT actually returns aes-256-gcm and the assertion fires. Confirmed on a zfs-encrypt VM run: "ZFS encryption (aes-256-gcm) verified on running system."
---
 scripts/test-install.sh | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

(limited to 'scripts')

diff --git a/scripts/test-install.sh b/scripts/test-install.sh
index 8d338b6..0bc4e9a 100755
--- a/scripts/test-install.sh
+++ b/scripts/test-install.sh
@@ -546,18 +546,6 @@ verify_install() {
             else
                 warn "ZFS genesis snapshot not found"
             fi
-
-            # Check ZFS native encryption if configured
-            local zfs_pass
-            zfs_pass=$(grep '^ZFS_PASSPHRASE=' "$config" | cut -d= -f2)
-            if [[ -n "$zfs_pass" ]]; then
-                if ssh_cmd "zfs get -H -o value encryption zroot/ROOT" | grep -q "aes-256-gcm"; then
-                    info "ZFS encryption (aes-256-gcm) verified"
-                else
-                    error "ZFS encryption not set on zroot/ROOT"
-                    return 1
-                fi
-            fi
         elif [[ "$filesystem" == "btrfs" ]]; then
             # Btrfs-specific checks
             if ssh_cmd "btrfs subvolume list /mnt" >/dev/null 2>&1; then
@@ -622,6 +610,22 @@ verify_reboot_survival() {
             error "ZFS pool not available after reboot"
             return 1
         fi
+
+        # ZFS native encryption: on an encrypted config, confirm zroot/ROOT
+        # actually carries aes-256-gcm on the running system. The boot
+        # already required the passphrase, but assert the property
+        # explicitly. verify_install can't check this — the pool is exported
+        # by the time it runs, before reboot.
+        local zfs_pass
+        zfs_pass=$(grep '^ZFS_PASSPHRASE=' "$config" | cut -d= -f2)
+        if [[ -n "$zfs_pass" ]]; then
+            if ssh_cmd "zfs get -H -o value encryption zroot/ROOT" | grep -q "aes-256-gcm"; then
+                info "ZFS encryption (aes-256-gcm) verified on running system"
+            else
+                error "ZFS root not encrypted with aes-256-gcm after reboot"
+                return 1
+            fi
+        fi
     elif [[ "$filesystem" == "btrfs" ]]; then
         if ssh_cmd "btrfs filesystem show / >/dev/null 2>&1"; then
             info "Btrfs filesystem healthy after reboot"
-- 
cgit v1.2.3