other than various clock errors what causes the safe flag to be set to 1 as written into the output of tpm2_quote ?
We're seeing some odd behaviour from some machines where safe is always set to 1 (Lenovo laptop) and on other servers occasionally safe is set to 1 and then returning to 0 on subsequent quotes.
For example, we might take a number of quotes over time, eg: 5 minutes apart. One of those quotes will have safe set to 1, the others are all 0. During this time the machine will *not* have experienced a reboot/reset nor - as far as we can tell - any form of powersave or shutdown. We've also noticed that safe gets set to 1 only on some quotes, eg: when quoting sha256:16,17,18 for the DRTM measurements.
The machines are all Xeon-E5 based servers, TPM2.0, tpm2_tools 1.3-rc2 installed, Ubuntu 17.04 with 4.13 kernel