ESXi 8.0 tpm 2.0 status shown as "TPM 2.0 device d... - Page 2

DCasota · ‎10-13-2022

Hi,

With the new release ESXi 8.0 Build 20513097 the tpm activation is shown as warning. This wasn't the case with ESXi7.0U3g - tpm 2.0 activation has been detected flawlessly. The 8.0 installation was on the same machine with preserved vmfs.

On ESXi Host Client, tpm status is declared as "TPM 2.0 device detected but a connection cannot be established.".

On ESXi Shell, tpm is detected but Drtm is shown as false.

localcli hardware trustedboot get

TrustedbootGet:

Drtm Enabled: false

Tpm Present: true

/var/log/vmkwarning.log contains some more info about then issue.

2022-10-13T07:39:57.859Z Wa(180) vmkwarning: cpu7:262437)WARNING: tpmDriver: TPMDriverCheckTPM2:56: TPM 2 TIS interface not active.
2022-10-13T07:39:57.859Z Wa(180) vmkwarning: cpu7:262437)WARNING: tpmDriver: TPMDriverAttachDevice:202: \_SB_.TPM_: couldn't validate TPM support: Not supported
2022-10-13T07:39:57.859Z Wa(180) vmkwarning: cpu7:262437)WARNING: Elf: 3156: Kernel based module load of tpmdriver failed: Failure <Mod_LoadDone failed>
2022-10-13T07:39:57.951Z Al(177) vmkalert: cpu5:262408)ALERT: Jumpstart plugin tpm activation failed.

Accordingly to the knowledge base https://kb.vmware.com/s/article/2148536 the issue has been solved in prereleases 6.7/7.0.

There is no indication in the release notes that there is an issue with tpm/drtm, see https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vmware-vsphere-80-release-notes/index.html .

bravo0916 · ‎11-13-2022

Hello. I have gotten the same thing and the setup of Windows11 got stuck with TPM2.0 module.

The module of TPM2.0 on the PC motherboard might not support I guess. Or it doesn't make sense...

Here is my post, but I've not gotten any answers yet.

https://communities.vmware.com/t5/ESXi-Discussions/PM-2-0-connection-cannot-be-established-on-ESXi-h...

Regards,

topuli · ‎12-11-2022

There is a new release: https://docs.vmware.com/en/VMware-vSphere/8.0/rn/vsphere-esxi-80a-release-notes/index.html#esxi-8-0a... When TPM 2.0 is enabled with TXT on an ESXi host, attempts to power-on a virtual machine might fail When TXT is enabled on an ESX host, attempts to power-on a VM might fail with an error. In the vSphere Client, you see a message such as This host supports Intel VT-x, but Intel VT-x is restricted. Intel VT-x might be restricted because 'trusted execution' has been enabled in the BIOS/firmware settings or because the host has not been power-cycled since changing this setting. worth a try t.

p.s: tested with x570 ftpm, still does not work; but the bios ftpm is CRB not TIS. GC-TPM2.0_S TPM Module is TIS so still a chance it works.

yzxicq · ‎01-21-2023

Goto BIOS setting as follow:

TPM2 Algorithm Selection to SHA256
Turn on Intel(R) TXT
Enable Secure Boot

ianfretwell · ‎01-27-2023

This is a thread about AMD CPU's TPM....they don't tend to have INTEL related settings in the BIOS.

Kinnison · ‎01-27-2023

Hi,

You're wrong, this thread started discussing a topic related to an Intel processor machine and of more general relevance.
The specifications indicated by VMware may not be shared but, nevertheless, they are very clear. And it boils down to the take-it-or-leave-it concept.

Regards,
Ferdinando

mercyfan · ‎02-01-2023

Same problem using ESXi 8.0 on Asus Prime z690-p D4 using CPU Intel i7 13700. 1st problem unable to join Vsphere cVenter 8.0. Finally able to register after bypass or ignore in few step. After joined vCenter it show the real problem as issue "TPM 2.0 device detected but a connection cannot be established.". Tried Proxmox and Truenas scale and both unable to install Windows 2022 as VM guest maybe that TPM caused the problem.

DCasota · ‎02-02-2023

Here an update in sort of a recommendation.

First, don't buy cheap hardware. Differentiate good hardware with a rebate. Pay attention about the TPM specs text !

With the following spec, TPM 2.0 is detected on Hypervisor ESXi8.

Discrete Hardware Trusted Platform Module (TPM) 2.0 (available in select regions only): Discrete TPM 2.0 by IC FIPS-140-2 certified/TCG certified, TCG certification for TPM (Trusted Computing Group)

With the following spec, TPM 2.0 might be declared as detected on latest Microsoft Windows Server and Desktops releases, but for sure is not detected on Hypervisor ESXi8.

Hardware TPM is v1.2, which is a subset of the TPM 2.0 specification version v0.89 as implemented by Intel Platform Trust Technology (PTT)

There are mainboard vendors with integrated TPMs and firmware TPMs, without having changed their manufacturing process to include a TPM chip with the FIPS-140 certification.
Luckily, some mainboard vendors have published a newer firmwares which fulfill the actual ESXi8 TPM 2.0 detection requirements because of the capability of the TPM chip.
Luckily, on some mainboards you can add a discrete TPM 2.0 chip. In most cases it costs less than 100 US$. My favorite blog on this is https://thenicholson.com/how-do-i-secure-and-encrypt-an-esxi-boot-device.

Be careful when considering a laptop for homelab ESXi8 purposes. Usually there is no add-chip-option.
Hypervisor TPM + Software TPM are options. When it comes to testing upgrade procedures + recovery recipes, it overcomplicates the original learning topic though.

Mind the gap. Before buying hardware, look to the https://www.vmware.com/resources/compatibility/search.php. Also, for mobile and rugged homelab purposes, carefully do research about hardware security options.

topuli · ‎02-22-2023

just leaving a short note.

ESXi-8.0b-21203435-standard (Build 21203435) on msi x570 (firmware f38a, ftpm) TPM still does not work.

Has anyone tested the Hardware TPM for MSI with the most current firmware and esxi version?

t.

SBCactus · ‎03-13-2023

seeing the same error on Dell R6515 AMD Epyc 7302P, still don't have a solution yet,
will be opening support tickets with Dell and VMware and update if I find an answer, but for anyone else stuck here:

TPM settings look correct (based on VMware/Dell instructions)
TPM is ON
Type: 2.0 NTC
TPM Firmware 1.3.2.8
TPM Hierarchy is ENABLED
TPM Power button is ENABLED
AC Recovery is LAST
UEFI Variable Access is STANDARD
Secure Boot Policy is STANDARD
Secure Boot Mode is DEPLOYED

VMware shows the unit as compatible: https://www.vmware.com/resources/compatibility/detail.php?deviceCategory=server&productid=48586

Dell BIOS is version 2.9.3 (which is marked as compatible at link above for TPM)

Seems to boil down to this:VMB_TPM: 250: TPM 2 SHA-256 PCR bank not found to be active. from the VMKernel.log:

vmkernel: VMB_TPM: 1961: Activated locality 0 2023-03-08T13:57:13Z In(182)
vmkernel: VMB_TPM: 613: TPM is in FIFO mode. 2023-03-08T13:57:13Z In(182)
vmkernel: VMB_TPM: 1983: Initialization of TPM 2 impl done. 2023-03-08T13:57:13Z In(182)
vmkernel: VMB_TPM: 1930: Vendor ID: NTC 2023-03-08T13:57:13Z In(182)
vmkernel: VMB_TPM: 909: Received unexpected digest count: 0 2023-03-08T13:57:13Z In(182)
vmkernel: VMB_TPM: 250: TPM 2 SHA-256 PCR bank not found to be active. 2023-03-08T13:57:13Z In(182)
vmkernel: VMB_TPM: 187: Failed to initialize TPM

SBCactus · ‎03-13-2023

answer:
SHA256 MUST be selected within the Dell Bios in-person, there is no way to set SHA256 (option will not show up at all) in iDRAC, once selected, TPM is recognized, (this is only for AMD-based Dell PowerEdge) it is not configured by default, default is SHA1

celavakosa · ‎03-15-2023

Same issue here with AMD chip.

Cuore_Sportivo · ‎04-01-2023

For anyone interested, I just tested ESXi 8.0 on a system with the below hw components.

Asus Pro B660M-C D4-CSM
Intel Core i5 12500

The motherboard has a built-in TPM chip (apart from the CPU's firmware TPM).

On the ESXi interface, I got no errors/warnings at all. On the vCenter interface, I was getting the "TPM Encryption Recovery Key Backup Alarm" which my understating is that it could be suppressed after backing up the recovery key.

When hitting localcli hardware trustedboot get though I still get

TrustedbootGet:
Drtm Enabled: false
Tpm Present: true

dbutch1976 · ‎06-19-2023

Same for me on my Intel NUC 11's (all three of them). In my case I turned off TPM in the BIOS, although that's hardly the answer, looking for a better one.

celavakosa · ‎06-19-2023

Good luck getting better answer.

DCasota · ‎06-19-2023

With respect to https://ark.intel.com/content/www/us/en/ark/compare.html?productIds=205073,205609,205605 , the NUC11TNBv7 is equipped with TPM. This does not help for other flavors though.

naettic · ‎09-28-2023

same here on Asus ProArt X670E - this is no cheap dumb fu.. hardware.
This incompatibility is a joke.
I understand picky specs for Controllers, GPUs, NICs and such but for a fuc++++ TPM?

Fix this @VMware!

I should just change my private HV (my trial and learning platform) and guess what, the companys i maintain will follow.
After years of stupid VMware decisions of shrinking standard hardware support this is additional fire to an already declining userbase.

And making the board manufacturers accountable for such incompatibility is just laughable - on 7.0U3g it's working, and for other OS this is obviously also no problem.

Goodbye VMWare.

DCasota · ‎09-29-2023

Hi,

your opinion about the product compatibility matrix is very negative, also about the userbase.

The tremendous security demand from tele communication, finance, military, construction and energy sectors is the 2nd wave after the virtualization. On the way towards 2030 we cannot have autonomous systems, low earth orbit industrialization and smart cities without safe filters.

Yes there was a time where Bring-Your-Own was fancy. With respect to FSD and LLM where routine decisions are delegated to compute systems, safety come first, second and third. Security specs are security specs versions. Biometric access systems used Tpm 1.2 and today 2.0. For sure this will advance again. The chips for a specific version often are produced for a decade. Software vendors have the choice to check the version of a chip feature and that‘s good. For safety first systems, best filters are a must. Company decisions about risk appetite and risk acceptance have to be respected.

VMware never positioned themselves in home computer systems market. Never. It is nice that they support workload management on edge systems, and of course it would be nice to see a rich ecosystem, but the home computer system market is out of scope.

For a short time period, for sure a few enthusiasts will show their Jarvis-on-ESXi on Nvidia GPU laptops with biometric access management. I would try it, too. And with the same enthusiasm, I want safety first when entering the 2030 future.

naettic · ‎09-30-2023

@DCasota wrote:
Hi,
your opinion about the product compatibility matrix is very negative,

and? should i be happy?

also about the userbase.

no. Why you put things in my mouth, which i didn't say? I'am negative about VMWare, not the community.

The tremendous security demand from tele communication, finance, military, construction and energy sectors is the 2nd wave after the virtualization. On the way towards 2030 we cannot have autonomous systems, low earth orbit industrialization and smart cities without safe filters.

what you are talking about, someones ivory tower?
Guess what, I'am talking about lab/test conditions. I didn't question the need for TPM in general here, i just questioned it for a home lab or a "lab mode". So, why not integrate a switch/mode for extended compatibility? Or be more conscious about excluding specs with wide impact. And on this topic(TPM) i predict future compatibility critical impacts which makes the whole Product/Feature Intention of Virtualisation obsolete; Impact-Magnitude-Level: How you transorm a worthful facility or a space shuttle into something with the worth of a brick - not on your own, just by some illustrious external decison makers.

Yes there was a time where Bring-Your-Own was fancy.

who is talking about BYOD?
Do you inferring from oneself to others? So you brought your own device?
I never did, cause of reasons, security reasons.
Ever thought about leaving your own "fancy" little Isle?
Again, I'am talking about homelabs where a 5 digits pile of hardware is not affordable for everyone every time. And beeing not blessed with endless money doesn't say anything how potential/capable the people in these home labs are, did you every thought about that young people with home labs might be even more capable and tech-savvy than these ivory "i have endless money and buy everything peepos"? Andy maybe they are the future?

With respect to FSD and LLM where routine decisions are delegated to compute systems, safety come first, second and third. Security specs are security specs versions. Biometric access systems used Tpm 1.2 and today 2.0.

WTF I'am talking about homelabs, not Fort Knox
An emulated TPM would be fine, and it's just software.
I'am actually more in fear that other reasons driving such restrictive decisions, to speak: money reasons. (stupid short thought decisions from business people)

For sure this will advance again. The chips for a specific version often are produced for a decade.

funny, you are talking about 10 Years(which is nothing in some Industrys)
I'am talking about a key features of virtualisation environments such as compatibility, long term compatibility cause of broad HCL.
So you brought up a topic that even supports my point of view.

Software vendors have the choice to check the version of a chip feature and that‘s good. For safety first systems, best filters are a must. Company decisions about risk appetite and risk acceptance have to be respected.
VMware never positioned themselves in home computer systems market. Never.

There is no such thing as "home computer systems" there is only technology and compatibility and cheap or expensive hardware.
Or if i talk on your level: any idea on what kind of technology your "fancy server hardware" is based on? How x86 plattform caught attention and got to life?
By your fancy standards you should immediately throw all your "fancy hardware" out to the window, cause it was kind of born or at least accelerated in home brew computer shops or garages.

It is nice that they support workload management on edge systems, and of course it would be nice to see a rich ecosystem, but the home computer system market is out of scope.
For a short time period, for sure a few enthusiasts will show their Jarvis-on-ESXi on Nvidia GPU laptops with biometric access management. I would try it, too. And with the same enthusiasm, I want safety first when entering the 2030 future.

summary: I didn't gain any positive/constructive/facilitative knowledge from your reply on my concerns about VMWares compatibility politics. Now it even took me time to broaden your sight? But i guess you are too "fancy" to understand anything of what i'am talking about,
or should i ask myself now how you got contact to technology? Should I guess you were directly born into someones tech ivory tower with endless knowledge and ressources?

DCasota · ‎09-30-2023

Hi,

I'm re-reading the 'negative about VMWare' voices here on communities.vmware.com which are honoring on the same time that the VMUG Advantage membership is a very attractive community offer.

Having chosen the wrong hardware happened quite a few times.

Hence, a disadvantage is that there is no VMUG store with officially advertized hardware for a specific homelab purpose.

An effort in this direction has been made by vExperts and can be found at https://github.com/lamw/homelab, but the purpose there is separated from a store buy option.

In a store, it would be nice to set a filter for the homelab purpose chosen and the costs you are willing to spend for your homelab.

Here a draft.

| costs combo VMUG advantage membership + hardware

homelab purpose | < 500 US$ | < 1500 US$ | < 5000 US$ | >= 5000 US$

------------------------------------------------------------------------------------------

Workstation, Fusion | | | |

ESXi | | | |

vCenter Server | | | |

vSAN | | | |

NSX-T | | | |

vRealize Operations | | | |

vRealize Log Insight | | | |

vRealize Automation | | | |

Horizon View | | | |

Tanzu | | | |

VMware Cloud Foundation | | | |

A year ago, Russel Hamker for instance spent 15'000 US$ (!) for his homelab and with that he is able to tinker with all products, and with hardware support for more than one year.

A few months ago, Eddie Kwok added his homelab' bill of materials for ESXi, vCenter and vSAN. He spent less than 1'000 US$ for the combo.

Another disadvantage is the fact that the vExpert community didn't not update the homelab list with focus on GPU.

Actually with #ProjectKeswick, William Lam adds one kit after the other on his blog. The latest one was this week, see https://williamlam.com/2023/09/esxi-on-lenovo-thinkstation-p3-ultra.html.

Nevertheless, more than a blog entry, a VMUG Advantage store buy option could be helpful.

Thoughts about the idea?

Personal: I left the vExpert community because of lack of time to exercise with "heavy systems" on the job and at home. VMware Workstation suddenly was good enough for the purpose needed. One of my actual homelab computer system, a Lenovo 13th Gen Intel(R) Core(TM) i9-13905H 2.60 GHz, 64 GB RAM, Nvidia RTX4070 GPU, was about 3500 US$. It is not on the VMware ESXi compatibility matrix and it was my decision to buy the hardware. Long story of this thread in short, 12 months ago I bought a HPE 250 G8 and used it as tiny ESXi homelab. I learned about the strict ESXi 8.0++ TPM 2.0 specs [Secure Boot must be enabled, ability to set TPM2 Algorithm to SHA256, SHA1 is not sufficient, ++ ]. At that time it was new for me. Others already blogged about TPM2.0 because of their experience in business with new server hardware.

jsm79 · ‎11-02-2023

Same issue here. Dell PowerEdge R7515 w/ AMD Epyc 7543P. Running Dell custom 8.0u2

All

ESXi 8.0 tpm 2.0 status shown as "TPM 2.0 device detected but a connection cannot be established."

ESXi8

TPM2.0