Can't get a Windows 11 installer to recognize a TPM

Incus
1

I’m trying to get a Windows 11 VM up and running. I’ve used distrobuilder to add the virtio drivers and set the following as most instructions show…

incus config device add vmwin11 vtpm tpm path=/dev/tpm0

The installer however always stops here…

image
image616×213 4.38 KB

The tpm device nodes are there and I’ve verified the major version…


~ ᐅ ls -al /dev/tpm*
crw-rw----@    10,224 tss   9 Mar 16:26 /dev/tpm0
crw-rw----@ 252,65536 root  9 Mar 16:26 /dev/tpmrm0
~ ᐅ cat /sys/class/tpm/tpm0/tpm_version_major
2

And the tpm2 tools can see it…

~ ᐅ sudo tpm2 getcap -l
- algorithms
- commands
- pcrs
- properties-fixed
- properties-variable
- ecc-curves
- handles-transient
- handles-persistent
- handles-permanent
- handles-pcr
- handles-nv-index
- handles-loaded-session
- handles-saved-session
- vendor

I even have swtmp install although I haven’t a clue how to make use of it.

Google’s AI recommended the following which failed as most Google AI recommendations do…

~ ᐅ incus config set win11vm security.tpm true
Error: Invalid expanded config: Unknown configuration key: security.tpm

What am I missing?

 ᐅ incus config show win11vm --expanded
architecture: x86_64
config:
  boot.autostart: "false"
  limits.cpu: "10"
  limits.memory: 32GiB
  security.secureboot: "true"
  volatile.cloud-init.instance-id: 4984cc08-3cff-47f8-a750-83f628ef4a2f
  volatile.disk-device-1.io.bus: virtiofs
  volatile.eth0.host_name: maca97b790b
  volatile.eth0.hwaddr: 10:66:6a:cb:db:9e
  volatile.eth0.last_state.created: "false"
  volatile.install.io.bus: usb
  volatile.last_state.power: RUNNING
  volatile.root.io.bus: nvme
  volatile.uuid: 7a5bfbe6-25bf-4a76-a887-3c4cfe1be15e
  volatile.uuid.generation: 7a5bfbe6-25bf-4a76-a887-3c4cfe1be15e
  volatile.virtio.io.bus: usb
  volatile.vm.definition: pc-q35-10.1
  volatile.vm.rtc_adjustment: "-1"
  volatile.vm.rtc_offset: "-1"
  volatile.vsock_id: "1784902643"
devices:
  disk-device-1:
    path: /mnt/virt-shared
    source: /data1/virt-shared
    type: disk
  disk-device-2:
    type: none
  eth0:
    network: macvlan
    type: nic
  install:
    boot.priority: "10"
    io.bus: usb
    source: /data1/vmwin11_xfer/Win11_25H2_English_x64.incus.iso
    type: disk
  root:
    io.bus: nvme
    path: /
    pool: incus_data2
    size: 512GiB
    type: disk
  vtpm:
    path: /dev/tpm0
    type: tpm
ephemeral: false
profiles:
- default
stateful: false
description: ""

~ ᐅ incus version
Client version: 6.18
Server version: 6.18

~ ᐅ uname -a
Linux ernie.f5.int 6.18.13-200.fc43.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Feb 19 19:54:01 UTC 2026 x86_64 GNU/Linux

~ ᐅ dnf list incus*
Updating and loading repositories:
Repositories loaded.
Installed packages
incus.x86_64                  6.22.0-1.fc43       f5en
incus-agent.x86_64            6.22.0-1.fc43       f5en
incus-client.x86_64           6.22.0-1.fc43       f5en
incus-selinux.noarch          6.22.0-1.fc43       f5en
incus-tools.x86_64            6.22.0-1.fc43       f5en
incus-ui-canonical.noarch     0.19.9-3            f5en

** f5en is my own repo as I build from source
2

Lose the path=/dev/tpm0, for a VM, this usually works fine incus config device add MY-VM vtpm tpm

3

Unfortunately, that didn’t work. :frowning:

However, I did just notice this from the journal…

 _sasl_plugin_load failed on sasl_server_plug_init for plugin: gssapiv2
 gssapiv2_client_plug_init() failed in sasl_server_add_plugin(): generic failure
 Could not find keytab file: /etc/qemu/krb5.tab: Unknown error 1737441660
 _sasl_plugin_load failed on sasl_server_plug_init for plugin: gssapiv2
 gssapiv2_client_plug_init() failed in sasl_server_add_plugin(): generic failure
 Could not find keytab file: /etc/qemu/krb5.tab: Unknown error 1737441660
 *HARK*  log.c:  97: core_log_lib_info: compiled with libndctl 63+
 *HARK*  log.c:  94: core_log_lib_info: compiled with support for shutdown state
 *HARK*  log.c:  92: core_log_lib_info: src version: 2.1.0

Whether that has anything to do with the issue or not I have no idea. I don’t think I’ve used Kerberos in more that 20 years. :slight_smile:

4

Should I remove path=/dev/tmp0 from https://blog.simos.info/how-to-run-a-windows-virtual-machine-on-incus-on-linux/ ?

The answer is yes per Type: tpm - Incus documentation as the path is required only for containers.

I updated the tutorial to reflect this.

5

@simos You missed a spot. :slight_smile: The path is still referenced in Bonus material #1.

You may also want to mention setting secureboot to true.

6

Thanks, I removed the last occurrence of path=/dev/tpm0.

Regarding secureboot, do you remember why we were not enabling it before?
Is there something relevant to Windows that should be also mentioned in the post?

7

It is required for Windows of course but the default is “true” I guess…

security.secureboot
Whether UEFI secure boot is enforced with the default Microsoft keys

Key:	security.secureboot
Type:	bool
Default:	true
Live update:	no
Condition:	virtual machine

I had it forced to false in my “default” profile because up to now I’ve only been creating Linux VMs. When I created the first attempt of this VM, the installer complained about it not being set. Looking back, I probably inherited it from the default profile.

I guess it’s OK to leave it out since “true” is the default.

8

Well, I give up. I’ve tried every suggestion I can find but the windows installer still doesn’t recognize the tpm. I did add the tpm to a Ubuntu 24 VM and it does show up in the VM and I can access it so I have no idea what’s going on. Ah well.