other than various clock errors what causes the safe flag to be set to 1 as written into the output of tpm2_quote ?

We're seeing some odd behaviour from some machines where safe is always set to 1 (Lenovo laptop) and on other servers occasionally safe is set to 1 and then returning to 0 on subsequent quotes.

For example, we might take a number of quotes over time, eg: 5 minutes apart. One of those quotes will have safe set to 1, the others are all 0.  During this time the machine will *not* have experienced a reboot/reset nor - as far as we can tell - any form of powersave or shutdown. We've also noticed that safe gets set to 1 only on some quotes, eg: when quoting sha256:16,17,18 for the DRTM measurements.

The machines are all Xeon-E5 based servers, TPM2.0,  tpm2_tools 1.3-rc2 installed, Ubuntu 17.04 with 4.13 kernel

Any information appreciated here,



Dr. Ian Oliver
Privacy Engineering:  via Amazon
Twitter: @i_j_oliver