Getting TPM Error from Windows 10 KVM

[guff666]

I have a Windows 10 KVM installed on PVE 7.1-10. It's running fine, but I've just noticed an error in the System log:

The device driver for the Trusted Platform Module (TPM) encountered a non-recoverable error in the TPM hardware, which prevents TPM services (such as data encryption) from being used. For further help, please contact the computer manufacturer.

It's recorded as TPM Event ID 15

Any idea on solutions? Delete and recreate the TPM? The config is:

agent: 1
balloon: 0
boot: order=sata0
cores: 8
hostpci0: 0000:00:14.0
hostpci1: 0000:00:1d.0
hostpci2: 0000:00:1b.0
machine: pc-i440fx-6.1
memory: 16000
meta: creation-qemu=6.1.0,ctime=1639909897
name: <deleted>
net0: e1000=1A:FF:8E:96:55:DC,bridge=vmbr0,firewall=1
numa: 0
onboot: 1
ostype: win10
sata0: localzfs:vm-107-disk-0,cache=writeback,size=256G
scsihw: virtio-scsi-pci
serial3: socket
smbios1: uuid=<deleted>
sockets: 1
tpmstate0: localzfs:vm-107-disk-1,size=4M,version=v2.0
vmgenid: <deleted>

 

[SteveITS]

Old thread but did you do the delete/recreate and did it work?

 

[gfngfn256]

From the OP's config, one can note he does not show bios: ovmf, also he does not have an efidisk. This means he is not using UEFI on that VM.
AFAIK, to be able to use TPM services in Windows 10, one needs a UEFI boot. Hence the error he is receiving.

 

[SteveITS]

Hmm, all of our Windows 11 VMs use OVMF, but all of our Windows Server 2019/2022 VMs use SeaBIOS because they were migrated from Virtuozzo/KVM. Only one 2019 has this error. This VM is normally off and was turned on for basically the first time since it was migrated, 8 months ago.

Edit: sorry just noticed the thread title had Win10 in it

 

[gfngfn256]

Only one 2019 has this error.

Possibly that VM alone is trying to use/check some TPM service. Potentially even looking for a system update (OS) could trigger that error, while assessing/attesting the current system. I fail to understand why one would have a TPM (v2) configured on a system where UEFI is required for the TPM service to be functional. I believe, that Windows Server 2019 also requires UEFI boot for TPM (v2) to work correctly, see this doc.

 

[SteveITS]

That is the question since the others aren't logging it. Something to try at least. I was comparing the VM configs to each other.

 

[SteveITS]

To follow up, the error I mention above is only logged at boot. At the time we had just had a client's laptop have recurring failing TPM events and ultimately needed its motherboard replaced.

Using the below steps (source) one can convert to UEFI boot and avoid the error/let TPM work:

• mbr2gpt /validate /allowFullOS
• mbr2gpt /convert /disk:0 /allowFullOS
• add EFI disk to VM
• change to OVMF BIOS
• (this VM was already machine type q35)
• shut down the VM for the hardware changes to take effect