VMware vSphere

Hi,

With the new release ESXi 8.0 Build 20513097 the tpm activation is shown as warning. This wasn't the case with ESXi7.0U3g - tpm 2.0 activation has been detected flawlessly. The 8.0 installation was on the same machine with preserved vmfs.

On ESXi Host Client, tpm status is declared as "TPM 2.0 device detected but a connection cannot be established.".

On ESXi Shell, tpm is detected but Drtm is shown as false.

localcli hardware trustedboot get

TrustedbootGet:

   Drtm Enabled: false

   Tpm Present: true

/var/log/vmkwarning.log contains some more info about then issue.

2022-10-13T07:39:57.859Z Wa(180) vmkwarning: cpu7:262437)WARNING: tpmDriver: TPMDriverCheckTPM2:56: TPM 2 TIS interface not active.
2022-10-13T07:39:57.859Z Wa(180) vmkwarning: cpu7:262437)WARNING: tpmDriver: TPMDriverAttachDevice:202: \_SB_.TPM_: couldn't validate TPM support: Not supported
2022-10-13T07:39:57.859Z Wa(180) vmkwarning: cpu7:262437)WARNING: Elf: 3156: Kernel based module load of tpmdriver failed: Failure <Mod_LoadDone failed>
2022-10-13T07:39:57.951Z Al(177) vmkalert: cpu5:262408)ALERT: Jumpstart plugin tpm activation failed.

Accordingly to the knowledge base https://kb.vmware.com/s/article/2148536 the issue has been solved in prereleases 6.7/7.0.

There is no indication in the release notes that there is an issue with tpm/drtm, see https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vmware-vsphere-80-release-notes/index.html .

Same issue here using Ryzen fTPM.  Latest ESXI 7 worked fine.

Same here.

In my case I installed ESXi 8.0 on a Ryzen test PC, so the hardware is not officially supported. No issues while using ESXi 7.0 though.

Same here on Intel NUC 11.

ESXi 7.0U3 was working fine.

Resetting the TPM doesn’t resolve it.

Same for me on my Intel NUC 11's (all three of them). In my case I turned off TPM in the BIOS, although that's hardly the answer, looking for a better one.

Good luck getting better answer.

With respect to https://ark.intel.com/content/www/us/en/ark/compare.html?productIds=205073,205609,205605 , the NUC11TNBv7 is equipped with TPM. This does not help for other flavors though.

Same problem on a Threadripper 3990X

Same issue.

To recreate this, use the following hardware:

Ryzen 3900x

Gigabyte X570S Aero G Motherboard or Asus Strix B450-F Motherboard


Both have same issues and both work fine with TPM in VMWare ESXI 7.0.3u.

Exactly the same error over here, but in my case it is an Intel NUC 11th gen.

Hi,

A hint, search with "google": Quick Tip - TPM 2.0 connection cannot be established after upgrading to ESXi 8.0

Regards,
Ferdinando

From the logs, the entry TPM 2 TIS interface not active correlates to the findings of  , see https://williamlam.com/2022/10/quick-tip-tpm-2-0-connection-cannot-be-established-after-upgrading-to-esxi-8-0.html. He mentions that with respect to Intel NUC an older NUC only is compatible to the actual 8.0 (IA) TPM  2 TIS interface status recognition implementation.

For better contribution, please add a device classification e.g.

a) is the device a new model (2022) ? which model and firmware?
b) is the device with its components on the server compatibility list AND it has the tpm issue ?
c) are some components supported ? which ones are not on the list?
d) is the device for homelab purposes only? quantify how many devices

In my case it's d) 1x hpe 250 g8 (latest bios)

Unfortunately his article doesn’t mention Ryzen fTPM.  I wonder if a drop-in TPM would suffice.

I just ordered a GC-TPM2.0_S TPM Module for my Gigabyte X570S Aero G motherboard. It'll be a while before it gets here, but when it does I'll try it and let others know.

from a market companion analyst view, the choice in VMware ecosystem unfortunately has been reduced.

https://learn.microsoft.com/en-us/windows-hardware/design/minimum/supported/windows-11-supported-amd-processors

This might be a temporary and wrong view as it isn‘t server business.

Integrating vendor hardware/firmware in virtual hardware version steps -  advertizes the Intel NUC series by strategy. It is more energy saving for developers to focus one vendor product branch. Same e.g. for the vmkusb fling. There is a shortage of skilled workers for such developers.

just thinking loud.

Hi,

So, if I have read the article correctly, the point of the speech is that the TPM object your system is equipped with, as implemented, does not conform to some necessary specifications, is not supported and consequently not even used.

In order to describe the problem we are discussing here the reference to Intel systems called "NUC" is conceptually irrelevant, he owns those not all possible someone else's. So, getting to the point, what does the article say? Or we live with that warning or we disable the incompatibke TPM object.

Now, let's be practical, products like ESXi do not have the "consumer" market as their reference market but the "business" market with all its own particular needs and that when things don't work as they should it means "losing a pot of money", all the rest (useless) chat. And why on earth would anyone devote time and resources to support non-existent items in the context of their target market?

Regards,
Ferdinando

Hi Ferdinando,

With respect to development cycles of 12-18 months and facing the goals of Project Keswick, the diversity of edge devices imho is important. TPM releases and implementation flavors shall not become a border.

In 2010 as a system engineer, it was simple to stage Lenovo/Dell/HPE laptops, workstations and small factor devices as ESXi host. Of course, it wasn't supported. The metric of a rich diversity in this area since then is NestedESXi eligibility of devices.

Most AMD Ryzen flavors weren't/aren't officially supported. So far from the field, an increased number of Intel NUCs have the issue with TPM since ESXi8.0.
Yes, the TPM object of my 2022 system is equipped with, as implemented, does not conform to some necessary specifications, is not supported and consequently not even used for non-homelab purposes.

As said, the impression might be totally wrong. Hence, it would be nice to share better feedback with VMware PM. So far, the feedback from the community is somewhat neglectable small.

Kind regards,
Daniel

I agree.

Especially where this TPM in Ryzen CPUs worked in the previous release, without issues...

Currently working fine in Proxmox as well. I know VMWare is a bit picky about what hardware is supported, but an fTPM built into a CPU, where most OSs require it before they can be installed, should be supported. It shouldn't even be a question to support it, it should just be there, home or enterprise, it doesn't matter.

Good news though, the hardware TPM for my Gigabyte board is scheduled for delivery tomorrow. If that works, it's a good workaround for now (and even a solution), too bad the prices doubled on these with the release of Windows 11...

Well bad news. The TPM 2.0 module showed up today, but VMWare ESXI 8 still cannot utilize it.

- Confirmed FTPM is turned off. Saved BIOS - Rebooted

- BIOS Sees new TPM Module. Enabled for 256 hash.

- VMWare ESXI 8, does not give a warning about the TPM 2.0, however:

localcli hardware trustedboot get

TrustedbootGet:

   Drtm Enabled: false

   Tpm Present: true

I see no other options I can try in VMWare ESXI to pass this through, or enable it or anything.

I started poking around on the BIOS and enabled IOMMU Groups & Secure Boot but it didn't change the outcome.

Maybe others will have better luck.

Hi,

Reading here and seem to understand that if for yout TPM 2.0 module the "Intel TXT" option is available and active you may need to disable it.

Returning to the argument under discussion, this excerpt from the official documentation should be read:
"Ensure that the TPM is configured in the ESXi host's BIOS to use the SHA-256 hashing algorithm and the TIS / FIFO (First-In, First-Out) interface and not CRB (Command Response Buffer). For information about setting these required BIOS options, refer to the vendor documentation".

Now, IMHO, as this information is disclosed to anyone, it is the manufacturer of a system (the OEM) who should be concerned with implementing things (the TPM module, and not only that) in a manner that conforms to these specifications, admitted he wants his customer to be able to use his product reliably in combination with a very specialized product like ESXi, not the other way around. Otherwise, when things don't work out, the concept of "support" becomes more of a "guesswork", hoping that someone, possibly, will make it (the concept of "best effort").

Regards,
Ferdinando

good point.

In my homelab use case the same bios setting works on ESXi 7.0U3g, but gives the warning in ESXi 8.0. In BIOS there are three options: TPM Device (Available), TPM State (Enabled), Clear TPM (no). That's it. That's all. No more option with the latest greated firmware version.

On HPE Gen10 servers there is no issue - you can change TPM bus from FIFO to CRB.

I've seen that some Dell laptops have a tremendous bunch of TPM options e.g. TPM on + Attestation Enable + Key Storage enable + SHA256. On newer Dell servers you can set "Intel TXT" on/off and change the TPM2.0 Algorithm granularly from SHA1 to SHA256. 

The matching VMware docs text section in 7.0 and 8.0 hasn't changed.

Neither booting ESXi 7.0U3g nor ESXi8.0, but the alternate boot into Windows 11 says, hey, TPM2.0 works flawlessly. Start tpm.msc and you see TPM is active, e.g. vendor name: INTC, vendor version: 600.7.41.21542, specification version: 2.0.
You start tpmtool.exe getdeviceinformation. The output shows some granular infos e.g. PPI version 1.3 and TPM specification version 1.38. 

The latest greatest TPM specification version is 1.59 accordingly to trustedcomputinggroup.org tpm library specification. I haven't found this family 2.0 tpm library specification on esxcli output.

At this point I've given up on it.

With now this issue, and previous issues regarding driver support, I'm back to just using Proxmox. Both TPMs are detected and work flawless in Proxmox 7.2, I also tried Windows 11 this afternoon on this machine bare metal, and it can make use of both TPMs. For giggles I tried ESXi 7.0.3, guess what, no issue detecting and using the external TPM either.

- AMD System: There's no Intel TXT option in BIOS.
- By default, it's set to SHA-256 Hashing and is the TIS interface.

I have no doubt that the Ryzen CPU fTPM and the external TPM 2.0 module both conform to the standards. The most interesting thing is as mentioned, both these TPMs work out of the box in VMWare 7.0.3.

With every release, we seem to get more restricted, moving backwards. I agree that this is really outside of support since we are using unsupported hardware, but this is something very basic that should just work.

Anyways, I'll keep monitoring this thread and probably will try a new release here and there to see what the results are.

Best of luck!

Hello.  I have gotten the same thing and the setup of Windows11 got stuck with TPM2.0 module.

The module of TPM2.0 on the PC motherboard might not support I guess.  Or it doesn't make sense...

Here is my post, but I've not gotten any answers yet.

https://communities.vmware.com/t5/ESXi-Discussions/PM-2-0-connection-cannot-be-established-on-ESXi-host-dashboard/m-p/2936997#M284545

Regards,

DellEMC PowerEdge R7515 with EPYC 7402P also get this alert...

There is a new release: https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80a-release-notes/index.html#esxi-8-0a-20842819-standard-resolved When TPM 2.0 is enabled with TXT on an ESXi host, attempts to power-on a virtual machine might fail When TXT is enabled on an ESX host, attempts to power-on a VM might fail with an error. In the vSphere Client, you see a message such as This host supports Intel VT-x, but Intel VT-x is restricted. Intel VT-x might be restricted because 'trusted execution' has been enabled in the BIOS/firmware settings or because the host has not been power-cycled since changing this setting. worth a try t.

p.s: tested with x570 ftpm, still does not work; but the bios ftpm is CRB not TIS. GC-TPM2.0_S TPM Module is TIS so still a chance it works.

Goto BIOS setting as follow:

• TPM2 Algorithm Selection to SHA256
• Turn on Intel(R) TXT 
• Enable Secure Boot

This is a thread about AMD CPU's TPM....they don't tend to have INTEL related settings in the BIOS.

Hi,

You're wrong, this thread started discussing a topic related to an Intel processor machine and of more general relevance.
The specifications indicated by VMware may not be shared but, nevertheless, they are very clear. And it boils down to the take-it-or-leave-it concept.

Regards,
Ferdinando

Same problem using ESXi 8.0 on Asus Prime z690-p D4 using CPU Intel i7 13700. 1st problem unable to join Vsphere cVenter 8.0. Finally able to register after bypass or ignore in few step. After joined vCenter it show the real problem as issue "TPM 2.0 device detected but a connection cannot be established.". Tried Proxmox and Truenas scale and both unable to install Windows 2022 as VM guest maybe that TPM caused the problem.

Here an update in sort of a recommendation.

First, don't buy cheap hardware. Differentiate good hardware with a rebate. Pay attention about the TPM specs text !

With the following spec, TPM 2.0 is detected on Hypervisor ESXi8.

Discrete Hardware Trusted Platform Module (TPM) 2.0 (available in select regions only): Discrete TPM 2.0 by IC FIPS-140-2 certified/TCG certified, TCG certification for TPM (Trusted Computing Group)

With the following spec, TPM 2.0 might be declared as detected on latest Microsoft Windows Server and Desktops releases, but for sure is not detected on Hypervisor ESXi8.

Hardware TPM is v1.2, which is a subset of the TPM 2.0 specification version v0.89 as implemented by Intel Platform Trust Technology (PTT)

There are mainboard vendors with integrated TPMs and firmware TPMs, without having changed their manufacturing process to include a TPM chip with the FIPS-140 certification.
Luckily, some mainboard vendors have published a newer firmwares which fulfill the actual ESXi8 TPM 2.0 detection requirements because of the capability of the TPM chip.
Luckily, on some mainboards you can add a discrete TPM 2.0 chip. In most cases it costs less than 100 US$. My favorite blog on this is https://thenicholson.com/how-do-i-secure-and-encrypt-an-esxi-boot-device. 

Be careful when considering a laptop for homelab ESXi8 purposes. Usually there is no add-chip-option.
Hypervisor TPM + Software TPM are options. When it comes to testing upgrade procedures + recovery recipes, it overcomplicates the original learning topic though.

Mind the gap. Before buying hardware, look to the https://www.vmware.com/resources/compatibility/search.php. Also, for mobile and rugged homelab purposes, carefully do research about hardware security options.

just leaving a short note.

ESXi-8.0b-21203435-standard (Build 21203435) on msi x570 (firmware f38a, ftpm) TPM still does not work.

Has anyone tested the Hardware TPM for MSI with the most current firmware and esxi version?

t.

seeing the same error on Dell R6515 AMD Epyc 7302P, still don't have a solution yet,
will be opening support tickets with Dell and VMware and update if I find an answer, but for anyone else stuck here:

TPM settings look correct (based on VMware/Dell instructions)
TPM is ON
Type: 2.0 NTC
TPM Firmware 1.3.2.8
TPM Hierarchy is ENABLED
TPM Power button is ENABLED
AC Recovery is LAST
UEFI Variable Access is STANDARD
Secure Boot Policy is STANDARD
Secure Boot Mode is DEPLOYED

VMware shows the unit as compatible: https://www.vmware.com/resources/compatibility/detail.php?deviceCategory=server&productid=48586

Dell BIOS is version 2.9.3 (which is marked as compatible at link above for TPM)

Seems to boil down to this:VMB_TPM: 250: TPM 2 SHA-256 PCR bank not found to be active. from the VMKernel.log:

vmkernel: VMB_TPM: 1961: Activated locality 0 2023-03-08T13:57:13Z In(182)
vmkernel: VMB_TPM: 613: TPM is in FIFO mode. 2023-03-08T13:57:13Z In(182)
vmkernel: VMB_TPM: 1983: Initialization of TPM 2 impl done. 2023-03-08T13:57:13Z In(182)
vmkernel: VMB_TPM: 1930: Vendor ID: NTC 2023-03-08T13:57:13Z In(182)
vmkernel: VMB_TPM: 909: Received unexpected digest count: 0 2023-03-08T13:57:13Z In(182)
vmkernel: VMB_TPM: 250: TPM 2 SHA-256 PCR bank not found to be active. 2023-03-08T13:57:13Z In(182)
vmkernel: VMB_TPM: 187: Failed to initialize TPM

answer: 
 SHA256 MUST be selected within the Dell Bios in-person, there is no way to set SHA256 (option will not show up at all) in iDRAC, once selected, TPM is recognized, (this is only for AMD-based Dell PowerEdge) it is not configured by default, default is SHA1

Same issue here with AMD chip.

For anyone interested, I just tested ESXi 8.0 on a system with the below hw components.

• Asus Pro B660M-C D4-CSM
• Intel Core i5 12500

The motherboard has a built-in TPM chip (apart from the CPU's firmware TPM).

On the ESXi interface, I got no errors/warnings at all. On the vCenter interface, I was getting the "TPM Encryption Recovery Key Backup Alarm" which my understating is that it could be suppressed after backing up the recovery key.

When hitting localcli hardware trustedboot get though I still get

TrustedbootGet:
Drtm Enabled: false
Tpm Present: true

same here on Asus ProArt X670E - this is no cheap dumb fu.. hardware.
This incompatibility is a joke.
I understand picky specs for Controllers, GPUs, NICs and such but for a fuc++++ TPM?

Fix this !

I should just change my private HV (my trial and learning platform) and guess what, the companys i maintain will follow.
After years of stupid VMware decisions of shrinking standard hardware support this is additional fire to an already declining userbase.

And making the board manufacturers accountable for such incompatibility is just laughable - on 7.0U3g it's working, and for other OS this is obviously also no problem.

Goodbye VMWare.

Hi,

your opinion about the product compatibility matrix is very negative, also about the userbase.

The tremendous security demand from tele communication, finance, military, construction and energy sectors is the 2nd wave after the virtualization. On the way towards 2030 we cannot have autonomous systems, low earth orbit industrialization and smart cities without safe filters.

Yes there was a time where Bring-Your-Own was fancy. With respect to FSD and LLM where routine decisions are delegated to compute systems, safety come first, second and third. Security specs are security specs versions. Biometric access systems used Tpm 1.2 and today 2.0. For sure this will advance again. The chips for a specific version often are produced for a decade. Software vendors have the choice to check the version of a chip feature and that‘s good. For safety first systems, best filters are a must. Company decisions about risk appetite and risk acceptance have to be respected.

VMware never positioned themselves in home computer systems market. Never. It is nice that they support workload management on edge systems, and of course it would be nice to see a rich ecosystem, but the home computer system market is out of scope.

For a short time period, for sure a few enthusiasts will show their Jarvis-on-ESXi on Nvidia GPU laptops with biometric access management. I would try it, too. And with the same enthusiasm, I want safety first when entering the 2030 future.

Same issue here. Dell PowerEdge R7515 w/ AMD Epyc 7543P. Running Dell custom 8.0u2

removed, see below, couldn't see original reply. there is a quick solution TPM -> algorithm -> SHA256 (comes as SHA 1 by default)

Hi, hope you see this....

solution/ Goto BIOS setting as follow:

TPM2 Algorithm Selection to SHA256

SHA256 MUST be selected within the Dell Bios in-person, there is no way to set SHA256 (option will not show up at all) in iDRAC, once selected, TPM is recognized, (this is only for AMD-based Dell PowerEdge) it is not configured by default, default is SHA1

---

 wrote:

Hi, hope you see this....

solution/ Goto BIOS setting as follow:

TPM2 Algorithm Selection to SHA256

SHA256 MUST be selected within the Dell Bios in-person, there is no way to set SHA256 (option will not show up at all) in iDRAC, once selected, TPM is recognized, (this is only for AMD-based Dell PowerEdge) it is not configured by default, default is SHA1

---

Can confirm this seems to have cleared the TPM error on a Dell PE 7515 host w/ AMD Epyc 7543P 32 core CPU. Note: you can change it via iDRAC if you console to the server. Even though the option to change showed up in iDRAC -> Configuratio -> BIOS for me, changing it and rebooting it did not cause the change to take effect. I had to console to the server, hit F2 during boot, and configure it the old-fashioned way (albeit still via iDRAC).

Thanks i will look into if setting SHA256 on my platform will work also. Does anyone have the link to the VMWare document that specifies that ESX only uses FIFO?? Because if that is still the case then the blame is at VMWare and not the hardware vendors. Because the official industry specs for TPM say that your must try FIFO first and if not available then you must try CRB. It is on page 9 of the official spec document in the flowchart. https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_Design_Principles_TPM2p0_Driver_rp27_190809_final.pdf