I don’t see that safe value coming out of quote. The only reference I can find is in the spec is in regards to clock.


Can you be more specific?



From: tpm2 [mailto:tpm2-bounces@lists.01.org] On Behalf Of Ian Oliver
Sent: Tuesday, March 13, 2018 6:11 AM
To: tpm2@lists.01.org
Subject: [tpm2] tpm2_quote and "safe"



other than various clock errors what causes the safe flag to be set to 1 as written into the output of tpm2_quote ?

We're seeing some odd behaviour from some machines where safe is always set to 1 (Lenovo laptop) and on other servers occasionally safe is set to 1 and then returning to 0 on subsequent quotes.

For example, we might take a number of quotes over time, eg: 5 minutes apart. One of those quotes will have safe set to 1, the others are all 0.  During this time the machine will *not* have experienced a reboot/reset nor - as far as we can tell - any form of powersave or shutdown. We've also noticed that safe gets set to 1 only on some quotes, eg: when quoting sha256:16,17,18 for the DRTM measurements.


The machines are all Xeon-E5 based servers, TPM2.0,  tpm2_tools 1.3-rc2 installed, Ubuntu 17.04 with 4.13 kernel

Any information appreciated here,




Dr. Ian Oliver

Privacy Engineering:  via Amazon
Twitter: @i_j_oliver