diff --git a/sys/amd64/vmm/vmm.c b/sys/amd64/vmm/vmm.c
--- a/sys/amd64/vmm/vmm.c
+++ b/sys/amd64/vmm/vmm.c
@@ -2797,8 +2797,9 @@
 
 #ifdef BHYVE_SNAPSHOT
 static int
-vm_snapshot_vcpus(struct vm *vm, struct vm_snapshot_meta *meta)
+vm_snapshot_vcpus(struct vm *vm, struct vm_snapshot_meta *meta, uint64_t tsc_base)
 {
+	uint64_t tsc;
 	int ret;
 	int i;
 	struct vcpu *vcpu;
@@ -2814,13 +2815,15 @@
 		SNAPSHOT_VAR_OR_LEAVE(vcpu->guest_xcr0, meta, ret, done);
 		SNAPSHOT_VAR_OR_LEAVE(vcpu->exitinfo, meta, ret, done);
 		SNAPSHOT_VAR_OR_LEAVE(vcpu->nextrip, meta, ret, done);
-		/* XXX we're cheating here, since the value of tsc_offset as
-		 * saved here is actually the value of the guest's TSC value.
+
+		/*
+		 * Save the absolute TSC value by adding tsc_base to tsc_offset.
 		 *
 		 * It will be turned turned back into an actual offset when the
 		 * TSC restore function is called
 		 */
-		SNAPSHOT_VAR_OR_LEAVE(vcpu->tsc_offset, meta, ret, done);
+		tsc = tsc_base + vcpu->tsc_offset;
+		SNAPSHOT_VAR_OR_LEAVE(tsc, meta, ret, done);
 	}
 
 done:
@@ -2831,34 +2834,16 @@
 vm_snapshot_vm(struct vm *vm, struct vm_snapshot_meta *meta)
 {
 	int ret;
-	int i;
 	uint64_t now;
 
-	ret = 0;
 	now = rdtsc();
 
-	if (meta->op == VM_SNAPSHOT_SAVE) {
-		/* XXX make tsc_offset take the value TSC proper as seen by the
-		 * guest
-		 */
-		for (i = 0; i < VM_MAXCPU; i++)
-			vm->vcpu[i].tsc_offset += now;
-	}
-
-	ret = vm_snapshot_vcpus(vm, meta);
+	ret = vm_snapshot_vcpus(vm, meta, now);
 	if (ret != 0) {
 		printf("%s: failed to copy vm data to user buffer", __func__);
 		goto done;
 	}
 
-	if (meta->op == VM_SNAPSHOT_SAVE) {
-		/* XXX turn tsc_offset back into an offset; actual value is only
-		 * required for restore; using it otherwise would be wrong
-		 */
-		for (i = 0; i < VM_MAXCPU; i++)
-			vm->vcpu[i].tsc_offset -= now;
-	}
-
 done:
 	return (ret);
 }