Re: bhyve + swtpm + W11

Reply: Marco Orsatti : "Re: bhyve + swtpm + W11"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: infoomatic <infoomatic_at_gmx.at>
Date: Fri, 28 Nov 2025 10:18:47 UTC
Thanks! Did Windows find and use that TPM? Did you have to configure 
anything?

For the CPU problem: at the current state I do not rule out that this is 
a Windows problem. We see the same excessive CPU usage on our Linux/KVM 
hypervisors.

best regards,

Robert


On 28.11.25 11:15, Marco Orsatti wrote:
> Many thanks!
> 
> It also works in already installed windows 11.
> 
> I made a small change to the script so that I can run it in a common 
> location for multiple VMs:
> 
> #!/bin/sh
> 
> VMNAME="$1"
> 
> SOCKET="/tmp/.bhyve.tpm.$VMNAME.sock"
> 
> if [ ! -S "$SOCKET" ]; then
> nohup swtpm socket --tpmstate backend-uri=file:///vm/$VMNAME/tpm.state 
> <file:///vm/$VMNAME/tpm.state> --server type=unixio,path="$SOCKET" -- 
> tpm2 --flags not-need-init &
> fi
> 
> I think it works on Server 2022 and 2025 too, I'll do some testing
> 
> 
> There's another major problem with Windows 11 and Server 2022/25: 
> excessive host CPU usage. Has anyone found a solution?
> 
> Marco
> 
> 
> 
>> Il giorno 27 nov 2025, alle ore 23:57, infoomatic <infoomatic@gmx.at> 
>> ha scritto:
>>
>> Hi,
>>
>> I could not get it to work on an already installed windows VM - I am 
>> not sure this is a FreeBSD/swtpm issue.
>>
>> On a fresh install I have had no issue.
>>
>> my config:
>> bhyve_options="-l tpm,swtpm,/tmp/.bhyve.tpm.win11.sock"
>> prestart="tpm.sh"
>>
>> and with tpm.sh:
>> #!/bin/sh
>>
>> SOCKET="/tmp/.bhyve.tpm.win11.sock"
>>
>> if [ ! -S "$SOCKET" ]; then
>> nohup swtpm socket --tpmstate backend-uri=file:///evo/vms/win11/ 
>> tpm.state --server type=unixio,path="$SOCKET" --tpm2 --flags not-need- 
>> init &
>> fi
>>
>> hth,
>>
>> Robert
>>
>>
>> On 27.11.25 15:30, Andrea Venturoli wrote:
>>> Hello.
>>> I'm hitting my head on this, but cannot make it work.
>>> Is it expected to work or am I just wasting my time?
>>> FreeBSD 14.3/amd64
>>> edk2-bhyve-g202308_5
>>> vm-bhyve-1.6.2_1
>>>  bye & Thanks
>>>     av.
>>> P.S.
>>> In case someone is interested in the details:
>>> vmbhyve starts bhyve with:
>>>> bhyve options: -c 3,sockets=1,cores=3,threads=1 -m 4G -AHPw -l 
>>>> bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd -l tpm,swtpm,/ 
>>>> var/run/swtpm/tpm -k /zroot/vm/eserver/bhyve.conf -U f753439f- 
>>>> bffa-11e8-b279-a4bf0142162f]
>>>> bhyve devices: -s 0,hostbridge -s 31,lpc -s 4:0,virtio-blk,/dev/ 
>>>> zvol/ zroot/vm/eserver/disk0,sectorsize=512 -s 5:0,virtio- 
>>>> net,tap0,mac=58:9c:fc:00:11:65
>>>>  -s 6:0,fbuf,tcp=192.168.XXX.1:25900 -s 7:0,xhci,tablet]
>>> Windows sees the TPM device but says it cannot be started (code 10) 
>>> due to a protocol error.
>>> In bhyve.log I see:
>>>> /tmp/bhyve.z4HOkg5    873:         OperationRegion(TPP1, 
>>>> SystemMemory, Add(0xfed45000, Arg0), One)
>>>> Remark   2173 -                                      ^ Creation of 
>>>> named objects within a method is highly inefficient, use globals or 
>>>> method local variables instead (\_S
>>>> B.TPM.TPFN)
>>>>
>>>> /tmp/bhyve.z4HOkg5    895:       Method(_DSM, 4, Serialized)
>>>> Warning  3115 -                           ^ Not all control paths 
>>>> return a value (\_SB.TPM._DSM)
>>>>
>>>> /tmp/bhyve.z4HOkg5    895:       Method(_DSM, 4, Serialized)
>>>> Warning  3107 -                           ^ Reserved method must 
>>>> return a value (Integer/String/Buffer/Package/Reference required for 
>>>> _DSM)
>>>>
>>>> /tmp/bhyve.z4HOkg5    985:         If(LEqual(Arg0, ToUUID("376054ED- 
>>>> CC13-4675-901C-4756D7F2D45D"))) /* UUID */
>>>> Remark   2184 - 
>>>>                                                            Unknown 
>>>> UUID string ^
>>>> bhyve: tpm_swtpm_execute_cmd: rsp read failed (bytes read: 4 / 
>>>> 3968): No error: 0
>>>> bhyve: tpm_crb_mem_handler: cancelling a TPM command is not 
>>>> implemented yet
>>>> bhyve: tpm_swtpm_execute_cmd: rsp read failed (bytes read: 4 / 
>>>> 3968): No error: 0
>>>> bhyve: tpm_crb_mem_handler: cancelling a TPM command is not 
>>>> implemented yet
>>>> bhyve: tpm_swtpm_execute_cmd: rsp read failed (bytes read: 4 / 
>>>> 3968): No error: 0
>>> In swtpm logs:
>>>>  Ctrl Cmd: length 12
>>>>  80 01 00 00 00 0C 00 00 01 44 00 00 Error: Unknown command: 0x80010000
>>>>  Ctrl Rsp: length 4
>>>>  00 00 00 0A  Ctrl Cmd: length 22
>>>>  80 01 00 00 00 16 00 00 01 7A 00 00 00 06 00 00  01 00 00 00 00 2A 
>>>> Error: Unknown command: 0x80010000
>>>>  Ctrl Rsp: length 4
>>>>  00 00 00 0A  Ctrl Cmd: length 22
>>>>  80 01 00 00 00 16 00 00 01 7A 00 00 00 06 00 00  01 00 00 00 00 2A 
>>>> Error: Unknown command: 0x80010000
>>>>  Ctrl Rsp: length 4
>>>>  00 00 00 0A
>>> This looks possibly like:
>>>> https://github.com/stefanberger/swtpm/issues/1069
>>> That's for a different platform however and I have no idea how to 
>>> "port" those info to bhyve.
>>> I have no previous experiences with swtpm (and I find it hard to get 
>>> a good howto/tutorial); TPM passthrough works for me (but obviously 
>>> not on machines without TPM).
>>
>>
>