Nothing seen with the TPM simulator- that works correctly (according to TCG spec).

Lenovo X1 laptops seem to report "1" as the value of safe all the time. The Xeon based server which varies its value of safe seems to be "randomish".

We're talking with the BIOS manfacturer at the moment too, but it seems they consider TPM to be "esoteric" at best.

I'll let you know if we find out anything more, but mainly this was to check with you all just in case you've seen this, to be sure there's nothing strange in the tpm2 tool stack and also whether anyone had any ideas why at all.

t.

Ian

On 15 March 2018 at 23:18, Roberts, William C <william.c.roberts@intel.com> wrote:
Ian,

I wish I could help you more, but this sounds like an issue with the TPM. It might be something in the spec I am not aware of. Is this reproducible across different manufacturers of tpms? What about using the ibm tpm simulator?

Bill

From: Ian Oliver [mailto:ian.justin.oliver@gmail.com]
Sent: Thursday, March 15, 2018 1:27 PM
To: Roberts, William C <william.c.roberts@intel.com>
Cc: tpm2@lists.01.org
Subject: Re: [tpm2] tpm2_quote and "safe"

Thanks William,
We can only find a reference to the clock too which is what has us a little confused.
Basically we can takes quotes, within that structure is the TPMS_CLOCK_INFO struct which contains field safe: TPMI_YES_NO .  We can take a series of quotes, say, a few minutes apart and see that particular value change to 1 and then back to 0.
The TPM is not being shutdown during this time, ie: the whole machine is powered on and running normally and thus no reason to suspect that the clock is in some inconsistent state as according to the spec. 
Is it possible that the TPM is being powered off by the CPU in some power saving mode and therefore causing the current clock value not to be saved and reread correctly when the TPM is restarted?  We've a script that parses the quote and maps this the JSON - we've checked that and it is functioning fine (across half a dozen machines and literally 1000s of quotes now), the quote value obtained from the TPM isn't being changed in anyway (we check the signature against the AK), therefore our hunch is that something very low down in the system is causing this.
I can send details of the machines and processors off-list if you want.

t.
Ian

On 15 March 2018 at 19:57, Roberts, William C <william.c.roberts@intel.com> wrote:
I don’t see that safe value coming out of quote. The only reference I can find is in the spec is in regards to clock.
 
Can you be more specific?
 
 
From: tpm2 [mailto:tpm2-bounces@lists.01.org] On Behalf Of Ian Oliver
Sent: Tuesday, March 13, 2018 6:11 AM
To: tpm2@lists.01.org
Subject: [tpm2] tpm2_quote and "safe"
 
Hi,
other than various clock errors what causes the safe flag to be set to 1 as written into the output of tpm2_quote ?
We're seeing some odd behaviour from some machines where safe is always set to 1 (Lenovo laptop) and on other servers occasionally safe is set to 1 and then returning to 0 on subsequent quotes.
For example, we might take a number of quotes over time, eg: 5 minutes apart. One of those quotes will have safe set to 1, the others are all 0.  During this time the machine will *not* have experienced a reboot/reset nor - as far as we can tell - any form of powersave or shutdown. We've also noticed that safe gets set to 1 only on some quotes, eg: when quoting sha256:16,17,18 for the DRTM measurements.
 
The machines are all Xeon-E5 based servers, TPM2.0,  tpm2_tools 1.3-rc2 installed, Ubuntu 17.04 with 4.13 kernel
Any information appreciated here,
thanks
Ian


--
Dr. Ian Oliver
===============================
Privacy Engineering:  via Amazon
Twitter: @i_j_oliver



--
Dr. Ian Oliver
===============================
Privacy Engineering:  via Amazon
Twitter: @i_j_oliver



--
Dr. Ian Oliver
===============================
Privacy Engineering:  via Amazon
Twitter: @i_j_oliver