Thanks William,

We can only find a reference to the clock too which is what has us a little confused.

Basically we can takes quotes, within that structure is the TPMS_CLOCK_INFO struct which contains field safe: TPMI_YES_NO .  We can take a series of quotes, say, a few minutes apart and see that particular value change to 1 and then back to 0.

The TPM is not being shutdown during this time, ie: the whole machine is powered on and running normally and thus no reason to suspect that the clock is in some inconsistent state as according to the spec. 

Is it possible that the TPM is being powered off by the CPU in some power saving mode and therefore causing the current clock value not to be saved and reread correctly when the TPM is restarted?  We've a script that parses the quote and maps this the JSON - we've checked that and it is functioning fine (across half a dozen machines and literally 1000s of quotes now), the quote value obtained from the TPM isn't being changed in anyway (we check the signature against the AK), therefore our hunch is that something very low down in the system is causing this.

I can send details of the machines and processors off-list if you want.

t.

Ian

On 15 March 2018 at 19:57, Roberts, William C <william.c.roberts@intel.com> wrote:

I don’t see that safe value coming out of quote. The only reference I can find is in the spec is in regards to clock.

 

Can you be more specific?

 

 

From: tpm2 [mailto:tpm2-bounces@lists.01.org] On Behalf Of Ian Oliver
Sent: Tuesday, March 13, 2018 6:11 AM
To: tpm2@lists.01.org
Subject: [tpm2] tpm2_quote and "safe"

 

Hi,

other than various clock errors what causes the safe flag to be set to 1 as written into the output of tpm2_quote ?

We're seeing some odd behaviour from some machines where safe is always set to 1 (Lenovo laptop) and on other servers occasionally safe is set to 1 and then returning to 0 on subsequent quotes.

For example, we might take a number of quotes over time, eg: 5 minutes apart. One of those quotes will have safe set to 1, the others are all 0.  During this time the machine will *not* have experienced a reboot/reset nor - as far as we can tell - any form of powersave or shutdown. We've also noticed that safe gets set to 1 only on some quotes, eg: when quoting sha256:16,17,18 for the DRTM measurements.

 

The machines are all Xeon-E5 based servers, TPM2.0,  tpm2_tools 1.3-rc2 installed, Ubuntu 17.04 with 4.13 kernel

Any information appreciated here,

thanks

Ian


--

Dr. Ian Oliver
===============================

Privacy Engineering:  via Amazon
Twitter: @i_j_oliver




--
Dr. Ian Oliver
===============================
Privacy Engineering:  via Amazon
Twitter: @i_j_oliver