diff --git a/pkgs/misc/tpm2-pkcs11/default.nix b/pkgs/misc/tpm2-pkcs11/default.nix
index faf2bdd5570c..91b7c31eb323 100644
--- a/pkgs/misc/tpm2-pkcs11/default.nix
+++ b/pkgs/misc/tpm2-pkcs11/default.nix
@@ -2,6 +2,7 @@
 , pkg-config, autoreconfHook, autoconf-archive, makeWrapper, patchelf
 , tpm2-tss, tpm2-tools, opensc, openssl, sqlite, python3, glibc, libyaml
 , abrmdSupport ? true, tpm2-abrmd ? null
+, fapiSupport ? true
 }:
 
 stdenv.mkDerivation rec {
@@ -15,7 +16,10 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-SoHtgZRIYNJg4/w1MIocZAM26mkrM+UOQ+RKCh6nwCk=";
   };
 
-  patches = [ ./version.patch ];
+  patches = [
+    ./version.patch
+    ./graceful-fapi-fail.patch
+  ];
 
   # The preConfigure phase doesn't seem to be working here
   # ./bootstrap MUST be executed as the first step, before all
@@ -25,6 +29,11 @@ stdenv.mkDerivation rec {
     ./bootstrap
   '';
 
+  configureFlags = lib.optionals (!fapiSupport) [
+    # Note: this will be renamed to with-fapi in next release.
+    "--enable-fapi=no"
+  ];
+
   nativeBuildInputs = [
     pkg-config autoreconfHook autoconf-archive makeWrapper patchelf
   ];
diff --git a/pkgs/misc/tpm2-pkcs11/graceful-fapi-fail.patch b/pkgs/misc/tpm2-pkcs11/graceful-fapi-fail.patch
new file mode 100644
index 000000000000..26712e9830c7
--- /dev/null
+++ b/pkgs/misc/tpm2-pkcs11/graceful-fapi-fail.patch
@@ -0,0 +1,51 @@
+From 2e3e3c0b0f4e0c19e411fd46358930bf158ad3f5 Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@earth.li>
+Date: Wed, 1 Feb 2023 09:29:58 +0000
+Subject: [PATCH] Gracefully fail FAPI init when it's not compiled in
+
+Instead of emitting:
+
+   WARNING: Getting tokens from fapi backend failed.
+
+errors when FAPI support is not compiled in gracefully fail the FAPI
+init and don't log any warnings. We'll still produce a message
+indicating this is what's happened in verbose mode, but normal operation
+no longer gets an unnecessary message.
+
+Fixes #792
+
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+---
+ src/lib/backend.c      | 4 +++-
+ src/lib/backend_fapi.c | 3 ++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/backend.c b/src/lib/backend.c
+index ca5e2ccf..128f58b9 100644
+--- a/src/lib/backend.c
++++ b/src/lib/backend.c
+@@ -53,7 +53,9 @@ CK_RV backend_init(void) {
+             LOGE(msg);
+             return rv;
+         }
+-        LOGW(msg);
++        if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
++            LOGW(msg);
++        }
+     } else {
+         fapi_init = true;
+     }
+diff --git a/src/lib/backend_fapi.c b/src/lib/backend_fapi.c
+index fe594f0e..3a203632 100644
+--- a/src/lib/backend_fapi.c
++++ b/src/lib/backend_fapi.c
+@@ -977,7 +977,8 @@ CK_RV backend_fapi_token_changeauth(token *tok, bool user, twist toldpin, twist
+ 
+ CK_RV backend_fapi_init(void) {
+ 
+-	return CKR_OK;
++	LOGV("FAPI not enabled, failing init");
++	return CKR_FUNCTION_NOT_SUPPORTED;
+ }
+ 
+ CK_RV backend_fapi_destroy(void) {