From patchwork Mon Jan 29 17:41:18 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Brijesh Singh <brijesh.singh@amd.com>
X-Patchwork-Id: 10190183
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	671A96020C for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 29 Jan 2018 17:42:15 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 63B9C284AF
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 29 Jan 2018 17:42:15 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 577F42866C; Mon, 29 Jan 2018 17:42:15 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 77A2F28639
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 29 Jan 2018 17:42:14 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751638AbeA2RmM (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Mon, 29 Jan 2018 12:42:12 -0500
Received: from mail-dm3nam03on0075.outbound.protection.outlook.com
	([104.47.41.75]:63152
	"EHLO NAM03-DM3-obe.outbound.protection.outlook.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1751521AbeA2RmI (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 29 Jan 2018 12:42:08 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=amdcloud.onmicrosoft.com; s=selector1-amd-com;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
	bh=UivqVqgY0VugHuLbqbuKA7l7E2uxOSVfbRRtvWQPa20=;
	b=DNb7HeTmAdRPW/GRJz3t8GYIvtHCBT8ChhanNK4MJekAvB2T1sE+B8sKdzaJvINf1TyjpuAPs2+2CIimvgJrzfWRxwhCmZDiEcezf6EYglhjUxxFGsy4HUVVJkrx9hF6dDVw2tTCnty136fCx8SOuSUyn5/ZF2eRuw1NT8Logm0=
Authentication-Results: spf=none (sender IP is )
	smtp.mailfrom=brijesh.singh@amd.com;
Received: from wsp141597wss.amd.com (165.204.78.1) by
	DM2PR12MB0154.namprd12.prod.outlook.com (2a01:111:e400:50ce::17) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.444.14;
	Mon, 29 Jan 2018 17:42:00 +0000
From: Brijesh Singh <brijesh.singh@amd.com>
To: qemu-devel@nongnu.org
Cc: kvm@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
	Tom Lendacky <Thomas.Lendacky@amd.com>,
	Peter Maydell <peter.maydell@linaro.org>,
	Richard Henderson <richard.henderson@linaro.org>,
	"Edgar E. Iglesias" <edgar.iglesias@xilinx.com>,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	Eduardo Habkost <ehabkost@redhat.com>,
	Stefan Hajnoczi <stefanha@gmail.com>, Eric Blake <eblake@redhat.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	"Daniel P . Berrange" <berrange@redhat.com>,
	Brijesh Singh <brijesh.singh@amd.com>
Subject: [PATCH v6 09/23] accel: add Secure Encrypted Virtulization (SEV)
	object
Date: Mon, 29 Jan 2018 11:41:18 -0600
Message-Id: <20180129174132.108925-10-brijesh.singh@amd.com>
X-Mailer: git-send-email 2.9.5
In-Reply-To: <20180129174132.108925-1-brijesh.singh@amd.com>
References: <20180129174132.108925-1-brijesh.singh@amd.com>
MIME-Version: 1.0
X-Originating-IP: [165.204.78.1]
X-ClientProxiedBy: BN6PR17CA0018.namprd17.prod.outlook.com
	(2603:10b6:404:65::28) To DM2PR12MB0154.namprd12.prod.outlook.com
	(2a01:111:e400:50ce::17)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 27ec3a4f-8cb4-4740-a6ef-08d5673f9a69
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0;
	RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(2017052603307)(7153060)(7193020);
	SRVR:DM2PR12MB0154;
X-Microsoft-Exchange-Diagnostics: 1; DM2PR12MB0154;
	3:h0QcxNmp2vJ3RkDV63B7nBKGQLw4WtFsZj5o3ZJ8BMGbVvbDt2TvfmPJASeWphhBb8pq8e3nasclAx5/3CtdkJ7MRnTWqLucRNxB0O7J6J1xWLuSMQcAj5RaxUZjgGbEHL448e8W3iCeQ4QRsTp0cl8LXREefxWiF2Eshqb6vbkR7rBPtc1u2eaq9d+mr1T6mwMjB5zxo1T/E7Ti75yYcUjF2ZbkKi62ckmkCC+9nS6thx8vh//hX99fzhHSVYUE;
	25:fbd3uVQ92hlVyz9c9AZz/5hH0loGxOa/wVFHxr9Gw8Zf2ENno/qt2AiOYoRx9MaygO92/BUy8zxK/YnRwyV8FhERMHncR0FquHGmiGZOOs/vOiPsOm64kF9jpTDcGc56Lsj5cHkklqSAW35po8b50gajZgNp6q93xdoMYMZfq+h0+LPiw0yxg9yOa6HSUr6sisntqMWVMUo0YbIS9FSP+1tUpxuyIi6t+Kv4lMc5lJ6xpAxRVVD4DDQRJPlBIJvgqxjPOlWtA5BhabIpmjjmxOx/93zGoTTRWzgSxBoP1RrJbfvZIkKMmCOhuAoroTPl7IfDm1s5AYQchCyy+11u5g==;
	31:E5sCV4AFV1zkuj0DZa5kuXtf2LfTHwMqKwxWK3fz2YhBeAigZ1ZMXomRFjo5pdaZc69Bf493K8NEqGdsT2suqZovbarKN9BwyslldCAJMFl5rwP+Exg/pq0Yy3M01G/zlDkrhERv+Z8AqU/cxjCcbBPngTGre1GuUX3JGkum7kTELABVLl5mT7+MdEbQoHzl+c0VEqrWWo5lLLpa7i/NXj0NJPzceoa3GlTtx0trtFw=
X-MS-TrafficTypeDiagnostic: DM2PR12MB0154:
X-Microsoft-Exchange-Diagnostics: 1; DM2PR12MB0154;
	20:PxoShnkIaUakN5/45mc00CFdM+Orz6m/TJzJeenQMyPgcHvyFaerBrWe0tlDaKzroJzY4LEebtTX6A58UJgSF3HdG24Bnd3YyHc/LNtjxfOLclD5aBiEJ2zmzlcnMpVBpnbKkJGMGMZaTLuBufalzB/k3aV8NCT82h4b493Sxnb76rJbIO2xPMksW71mmgzeffDd3TQ+nMMmiTdkI8yF0XJMPhLmte5llq2lH7itIMYllrXUjkVjXGEFN7mmV+CEHU1Eiji40hfghVL1Ln2zYls6fxjuGtl5jgQ4N1hoJOf2XQ9sd0pmPmfSDbTilIME90qUjTByiyZHi04NksX9FtP9RkgIhbo9SArzk56/YgVwsqZL06mLuqVX74kW8uLIBPhPlPiw+tIISyEVgf2HrT97+jwQmmTHM2SpdIhs44nmI6ncRiWzUKHz95mFP9qh3O5Qn100IQ8BXKI533jUgD6Vzt/uFFBSxZ/20d0qTvpfxGBy4l4BxE03HXMyqACt;
	4:jPK3ULhUcmjx28wXDtmhz6W1qveUH8ixTdTHNbI+LHmnD4tf9hQSvI/XWYlVLQrC5HJDrAso93VZvQ8WwbWA+a/PslpWFIooMiY8zHHAy0IiF5unL2x0LfpLoo/B0+l39U7uB1cK2KJQn2tDq2TV0SNg9JwSqWFB9/GFiUL35FBoLDgYW7IxohyQXRvOBM5/WjqaJsKlnEjiAyfrcpGfJwoEsD62th9ploSLiVEJMraQli27Ux3gyhPZXSdMDNXf6myYswiAgmpJe4JspmXLUfVblQSdFTyr9zTU9ORBUaFl7G3DnS7dW8fbKePW8/ylPks5F86V7+0oRi8EZ3hIAg==
X-Microsoft-Antispam-PRVS: 
 <DM2PR12MB0154C0534ED2911A2F95634CE5E50@DM2PR12MB0154.namprd12.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(767451399110)(17755550239193);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0;
	RULEID:(6040501)(2401047)(8121501046)(5005006)(10201501046)(3231101)(944501161)(93006095)(93001095)(3002001)(6055026)(6041288)(20161123560045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(6072148)(201708071742011);
	SRVR:DM2PR12MB0154; BCL:0; PCL:0; RULEID:; SRVR:DM2PR12MB0154;
X-Forefront-PRVS: 0567A15835
X-Forefront-Antispam-Report: SFV:NSPM;
	SFS:(10009020)(39860400002)(376002)(39380400002)(396003)(366004)(346002)(199004)(189003)(48376002)(8656006)(39060400002)(4326008)(6486002)(68736007)(36756003)(478600001)(26005)(97736004)(16526019)(53936002)(386003)(50466002)(86362001)(575784001)(25786009)(8666007)(16586007)(54906003)(186003)(47776003)(59450400001)(316002)(7416002)(305945005)(7696005)(105586002)(106356001)(76176011)(51416003)(2906002)(81156014)(66066001)(81166006)(8676002)(2361001)(53416004)(3846002)(50226002)(52116002)(6116002)(2351001)(1076002)(8936002)(7736002)(6666003)(6916009)(5660300001)(2950100002);
	DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR12MB0154;
	H:wsp141597wss.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1;
	MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: amd.com does not designate
	permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; DM2PR12MB0154;
	23:e43iDyCSbZJy1o5b2EqamY97r+7KTkegukAPBIoqO?=
	=?us-ascii?Q?9UP/Wl6ugKFv9Z1181neb6QGBHeNBOZ8jwJe5VtbuIKXMX9cOyHBSJL/R7fm?=
	=?us-ascii?Q?Wcsy4NEsUFI/ZFsFXrRlcuQ5kt4nI10ho8hrcIoqq8Ef6DZRgQ5aO6A2WtEb?=
	=?us-ascii?Q?vjdqFnk8Op3I3RgAek/beeLZ//DBBV+XTdNDVl/acUHoJ7nhbPYZblcen1Vf?=
	=?us-ascii?Q?cTpKI1jftlUAwMvdVc1o+hMmrPejM7z3XXnJwmih9StGGZO9iBFvtwQQXJLG?=
	=?us-ascii?Q?LB2hQr5dYAprlmjoprIxXtpqx9goFLxdgUy47NBX8jsRiTeWoaQOnAIw7UOY?=
	=?us-ascii?Q?X5sKnWRSgIP82FqTqoN7jVSaQKhAE+vrYX80UP0j6Fr+2HkaQiXkONv6FkhN?=
	=?us-ascii?Q?RJO6vpSanQgN2xj0LN0rAqUmnOXexLtcixMGUqidpjpnKlnta42PMzHjt1hO?=
	=?us-ascii?Q?2iN+rtkEmT2f4WlWyyceVRhI87Hsnw8kZnlDeNRd19HhfoKsndrmjy5Gg2lu?=
	=?us-ascii?Q?gLCMfKj9BjWCR13kA05UgK9QcrTyDwF2UyRzEl75VReV1zhd9jmFaVK/MKbm?=
	=?us-ascii?Q?kPUz24D5ZGvzDn0+ae0pMGbvzjnTi0CVcW/AbxDZ+dCkSk8S5AkJIhsYeVqJ?=
	=?us-ascii?Q?nlTXUhaz2xBiWS3FC1n+6VhF7Hv68NeEjbdwW/l0Rh4hqHeNOKNpta3QggVU?=
	=?us-ascii?Q?keBOQ5Wr1Blx0liDwvqy3SbHd3L3fq47WmwgWGWT2lyEQG50RHPng+TijskD?=
	=?us-ascii?Q?NuDxSshBGN+lSSGM/xqAIcZThpOMqBoEo4pGty80om6hTdaVO0d/t7bfcXYs?=
	=?us-ascii?Q?OPf0wi/CKzzi4mdF8Ucr9HKE/k5O7jEosuSCBQpdY7rv7vlaqlsvifBTEN60?=
	=?us-ascii?Q?qEJ2Dste8v7Up/90cJnw2UEYl8z69znuU+xS2zeP6ouoQpAoj0663HwHVJKV?=
	=?us-ascii?Q?lPUYYjsoPwe9iNCXsTW/ujXX1j2YneN5r+GLR4iN6R2mEsvJYaXGBTU+n0fr?=
	=?us-ascii?Q?zue+yQ43z/5yx5A7222wkbc//hFYShDHWcHxHmgt9ETMZzeD0sizVXg1qlDl?=
	=?us-ascii?Q?aWvtYP99jG0pgjB6hh5OSPsXlqcsLRm/ergpPy+T0rSs0631YGCnlqLsvkNv?=
	=?us-ascii?Q?DaQroU7JVD8EdWMZ+fW3xvtn9wA3RRhOunjurNVZXIdC+Tbe0g5q4LqAUePW?=
	=?us-ascii?Q?oVS1Hfd6zpoi78yrFU8mwglFrKEsas38EEF62xiusTdqbs9aIldjhs4nRDaQ?=
	=?us-ascii?Q?5nsN+iX0lrWv2fGL2cmtfu2EfO6k3AhQrJT1xxKdp/NmvsCvcDve1yUokiQA?=
	=?us-ascii?Q?b810eqVNnegNK3mwzCHnBQ=3D?=
X-Microsoft-Exchange-Diagnostics: 1; DM2PR12MB0154;
	6:2ZG3dOZDxYqiOfcey6oPc5KPZpzzzlcg5OIkLRY33rSCPOVoePoQwu/RWpOIsdhlGJEMPLXoDPqe2YWmpFHXv5+k9bq2vgcmv9owj5dHqvRrxnOomCHb9ekhrxeNHaOfFUp3ko5GjpyVQ4nVhI85dPT4pQ/OainzNeKqx04sWXwoBjo4dxFudWicf8z//wuBcoM6B5g6r/tYN7oMCllyDlpti71T9Vv8bxEMZt0IT99mOHqXLk66nmpISo8KFuSPbWdd3WF070KLhJhB3RQLCsz4jK1r3RSB8mYIA4DkVj5sGkEP+XHGw1mpLgHHKt3/hRUlBo5OOaxvJUFecqZi0VAWD2RHETcN/nRBvq5lOxU=;
	5:H1IBvKoDixF98+AqTtDjK4GCutAoB/p2/E6TelHikVX5xbSJCbaY4cAiCdTrH/fLWKC/ZK8wXPaZKLIJe0zEnEbaF5txuKpImQX5usVlacWR4hl6s/6quA2rZLwG8uB0dNgQoFhYZyXxmuSU7tHL0uvksi3pbDirZIUTR4+FEjw=;
	24:adCruUbLht59vOd7khhVpF9IGaoiabOYMITxwKzT7e+6L2Ez5QBuSytRv85KLnpJHNXGG85MISSo1uvuQuB6vXxKey0Z0Phk0jXrR6BpVjY=;
	7:HXRDV451yM0I8SP1CZDIX2e7V3sxrFB8IqHR5zdkxFreYwn/0s6G1a2+pSTFArc/Vu12aShnjRER/zNJzvDiCXdfL5U9SueKRPEzv+6Tobfx6+V81JsB5AnRmf5+I4dZbPUx+pVm0NtISO40UDftEdTqyFaqgXXs25+QF/F0MvOqxpIoQPR/4XiDD6yBjb2drVYU0RiUfx4KyfRh7GHIrXBPMv/FG/OfXV+N4/vsankvZegGwJ7yetx3DY7avxxR
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; DM2PR12MB0154;
	20:07llQDmAvztJ8ilp99Q2hGw4Ylu4hH4UHZPx7Io9a6bQTisuorPMzhGVVeOLGBXksZxJz9KXJ30uRg/1Ok+6M/HkEDwP3wGEgbUfuJuj6BIGf6vNywCeRefJKwz4snnfRa9/PrBzPI1oy7lhnc/GO+/jHyd/IUpf+cOcnXKIYYeQEeySDNwnXBd/hR9gMLQnlN9hd+iT7rRaJVZqTdcoTKHjpfvlJC5aGnzSnykEhF/XX5rNx7YS9sPFkZiniTh2
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Jan 2018 17:42:00.1196
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 27ec3a4f-8cb4-4740-a6ef-08d5673f9a69
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR12MB0154
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Add a new memory encryption object 'sev-guest'. The object will be used
to create enrypted VMs on AMD EPYC CPU. The object provides the properties
to pass guest owner's public Diffie-hellman key, guest policy and session
information required to create the memory encryption context within the
SEV firmware.

e.g to launch SEV guest
 # $QEMU \
    -object sev-guest,id=sev0 \
    -machine ....,memory-encryption=sev0

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 accel/kvm/Makefile.objs        |   2 +-
 accel/kvm/sev.c                | 179 +++++++++++++++++++++++++++++++++++++++++
 docs/amd-memory-encryption.txt |  17 ++++
 include/sysemu/sev.h           |  53 ++++++++++++
 qemu-options.hx                |  34 ++++++++
 5 files changed, 284 insertions(+), 1 deletion(-)
 create mode 100644 accel/kvm/sev.c
 create mode 100644 include/sysemu/sev.h

diff --git a/accel/kvm/Makefile.objs b/accel/kvm/Makefile.objs
index 85351e7de7e8..666ceef3dae3 100644
--- a/accel/kvm/Makefile.objs
+++ b/accel/kvm/Makefile.objs
@@ -1 +1 @@
-obj-$(CONFIG_KVM) += kvm-all.o
+obj-$(CONFIG_KVM) += kvm-all.o sev.o
diff --git a/accel/kvm/sev.c b/accel/kvm/sev.c
new file mode 100644
index 000000000000..e93fdfeb0c8f
--- /dev/null
+++ b/accel/kvm/sev.c
@@ -0,0 +1,179 @@
+/*
+ * QEMU SEV support
+ *
+ * Copyright Advanced Micro Devices 2016-2018
+ *
+ * Author:
+ *      Brijesh Singh <brijesh.singh@amd.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qom/object_interfaces.h"
+#include "qemu/base64.h"
+#include "sysemu/kvm.h"
+#include "sysemu/sev.h"
+#include "sysemu/sysemu.h"
+
+#define DEFAULT_GUEST_POLICY    0x1 /* disable debug */
+#define DEFAULT_SEV_DEVICE      "/dev/sev"
+
+static void
+qsev_guest_finalize(Object *obj)
+{
+}
+
+static char *
+qsev_guest_get_session_file(Object *obj, Error **errp)
+{
+    QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
+
+    return s->session_file ? g_strdup(s->session_file) : NULL;
+}
+
+static void
+qsev_guest_set_session_file(Object *obj, const char *value, Error **errp)
+{
+    QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
+
+    s->session_file = g_strdup(value);
+}
+
+static char *
+qsev_guest_get_dh_cert_file(Object *obj, Error **errp)
+{
+    QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
+
+    return g_strdup(s->dh_cert_file);
+}
+
+static void
+qsev_guest_set_dh_cert_file(Object *obj, const char *value, Error **errp)
+{
+    QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
+
+    s->dh_cert_file = g_strdup(value);
+}
+
+static char *
+qsev_guest_get_sev_device(Object *obj, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    return g_strdup(sev->sev_device);
+}
+
+static void
+qsev_guest_set_sev_device(Object *obj, const char *value, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    sev->sev_device = g_strdup(value);
+}
+
+static void
+qsev_guest_class_init(ObjectClass *oc, void *data)
+{
+    object_class_property_add_str(oc, "sev-device",
+                                  qsev_guest_get_sev_device,
+                                  qsev_guest_set_sev_device,
+                                  NULL);
+    object_class_property_set_description(oc, "sev-device",
+            "SEV device to use", NULL);
+    object_class_property_add_str(oc, "dh-cert-file",
+                                  qsev_guest_get_dh_cert_file,
+                                  qsev_guest_set_dh_cert_file,
+                                  NULL);
+    object_class_property_set_description(oc, "dh-cert-file",
+            "guest owners DH certificate (encoded with base64)", NULL);
+    object_class_property_add_str(oc, "session-file",
+                                  qsev_guest_get_session_file,
+                                  qsev_guest_set_session_file,
+                                  NULL);
+    object_class_property_set_description(oc, "session-file",
+            "guest owners session parameters (encoded with base64)", NULL);
+}
+
+static void
+qsev_guest_set_handle(Object *obj, Visitor *v, const char *name,
+                      void *opaque, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+    uint32_t value;
+
+    visit_type_uint32(v, name, &value, errp);
+    sev->handle = value;
+}
+
+static void
+qsev_guest_set_policy(Object *obj, Visitor *v, const char *name,
+                      void *opaque, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+    uint32_t value;
+
+    visit_type_uint32(v, name, &value, errp);
+    sev->policy = value;
+}
+
+static void
+qsev_guest_get_policy(Object *obj, Visitor *v, const char *name,
+                      void *opaque, Error **errp)
+{
+    uint32_t value;
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    value = sev->policy;
+    visit_type_uint32(v, name, &value, errp);
+}
+
+static void
+qsev_guest_get_handle(Object *obj, Visitor *v, const char *name,
+                      void *opaque, Error **errp)
+{
+    uint32_t value;
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    value = sev->handle;
+    visit_type_uint32(v, name, &value, errp);
+}
+
+static void
+qsev_guest_init(Object *obj)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE);
+    sev->policy = DEFAULT_GUEST_POLICY;
+    object_property_add(obj, "policy", "uint32", qsev_guest_get_policy,
+                        qsev_guest_set_policy, NULL, NULL, NULL);
+    object_property_add(obj, "handle", "uint32", qsev_guest_get_handle,
+                        qsev_guest_set_handle, NULL, NULL, NULL);
+}
+
+/* sev guest info */
+static const TypeInfo qsev_guest_info = {
+    .parent = TYPE_OBJECT,
+    .name = TYPE_QSEV_GUEST_INFO,
+    .instance_size = sizeof(QSevGuestInfo),
+    .instance_finalize = qsev_guest_finalize,
+    .class_size = sizeof(QSevGuestInfoClass),
+    .class_init = qsev_guest_class_init,
+    .instance_init = qsev_guest_init,
+    .interfaces = (InterfaceInfo[]) {
+        { TYPE_USER_CREATABLE },
+        { }
+    }
+};
+
+static void
+sev_register_types(void)
+{
+    type_register_static(&qsev_guest_info);
+}
+
+type_init(sev_register_types);
diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt
index 72a92b6c6353..1527f603ea2a 100644
--- a/docs/amd-memory-encryption.txt
+++ b/docs/amd-memory-encryption.txt
@@ -35,10 +35,21 @@ in bad measurement). The guest policy is a 4-byte data structure containing
 several flags that restricts what can be done on running SEV guest.
 See KM Spec section 3 and 6.2 for more details.
 
+The guest policy can be provided via the 'policy' property (see below)
+
+# ${QEMU} \
+   sev-guest,id=sev0,policy=0x1...\
+
 Guest owners provided DH certificate and session parameters will be used to
 establish a cryptographic session with the guest owner to negotiate keys used
 for the attestation.
 
+The DH certificate and session blob can be provided via 'dh-cert-file' and
+'session-file' property (see below
+
+# ${QEMU} \
+     sev-guest,id=sev0,dh-cert-file=<file1>,session-file=<file2>
+
 LAUNCH_UPDATE_DATA encrypts the memory region using the cryptographic context
 created via LAUNCH_START command. If required, this command can be called
 multiple times to encrypt different memory regions. The command also calculates
@@ -59,6 +70,12 @@ context.
 See SEV KM API Spec [1] 'Launching a guest' usage flow (Appendix A) for the
 complete flow chart.
 
+To launch a SEV guest
+
+# ${QEMU} \
+    -machine ...,memory-encryption=sev0 \
+    -object sev-guest,id=sev0
+
 Debugging
 -----------
 Since memory contents of SEV guest is encrypted hence hypervisor access to the
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
new file mode 100644
index 000000000000..d2621a9d1100
--- /dev/null
+++ b/include/sysemu/sev.h
@@ -0,0 +1,53 @@
+/*
+ * QEMU Secure Encrypted Virutualization (SEV) support
+ *
+ * Copyright: Advanced Micro Devices, 2016-2018
+ *
+ * Authors:
+ *  Brijesh Singh <brijesh.singh@amd.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef QEMU_SEV_H
+#define QEMU_SEV_H
+
+#include "qom/object.h"
+#include "qapi/error.h"
+#include "sysemu/kvm.h"
+#include "qemu/error-report.h"
+
+#define TYPE_QSEV_GUEST_INFO "sev-guest"
+#define QSEV_GUEST_INFO(obj)                  \
+    OBJECT_CHECK(QSevGuestInfo, (obj), TYPE_QSEV_GUEST_INFO)
+
+typedef struct QSevGuestInfo QSevGuestInfo;
+typedef struct QSevGuestInfoClass QSevGuestInfoClass;
+
+/**
+ * QSevGuestInfo:
+ *
+ * The QSevGuestInfo object is used for creating a SEV guest.
+ *
+ * # $QEMU \
+ *         -object sev-guest,id=sev0 \
+ *         -machine ...,memory-encryption=sev0
+ */
+struct QSevGuestInfo {
+    Object parent_obj;
+
+    char *sev_device;
+    uint32_t policy;
+    uint32_t handle;
+    char *dh_cert_file;
+    char *session_file;
+};
+
+struct QSevGuestInfoClass {
+    ObjectClass parent_class;
+};
+
+#endif
+
diff --git a/qemu-options.hx b/qemu-options.hx
index bec3490d7b8d..031886c1da77 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4280,6 +4280,40 @@ contents of @code{iv.b64} to the second secret
          data=$SECRET,iv=$(<iv.b64)
 @end example
 
+@item -object sev-guest,id=@var{id},sev-device=@var{string}[,policy=@var{policy},handle=@var{handle},dh-cert-file=@var{file},session-file=@var{file}]
+
+Create a Secure Encrypted Virtualization (SEV) guest object, which can be used
+to provide the guest memory encryption support on AMD processors.
+
+The @option{sev-device} provides the device file to use for communicating with
+the SEV firmware running inside AMD Secure Processor. The default device is
+'/dev/sev'. If hardware supports memory encryption then /dev/sev devices are
+created by CCP driver.
+
+The @option{policy} provides the guest policy to be enforced by the SEV firmware
+and restrict what configuration and operational commands can be performed on this
+guest by the hypervisor. The policy should be provided by the guest owner and is
+bound to the guest and cannot be changed throughout the lifetime of the guest.
+The default is 0.
+
+If guest @option{policy} allows sharing the key with another SEV guest then
+@option{handle} can be use to provide handle of the guest from which to share
+the key.
+
+The @option{dh-cert-file} and @option{session-file} provides the guest owner's
+Public Diffie-Hillman key defined in SEV spec. The PDH and session parameters
+are used for establishing a cryptographic session with the guest owner to
+negotiate keys used for attestation. The file must be encoded in base64.
+
+e.g to launch a SEV guest
+@example
+ # $QEMU \
+     ......
+     -object sev-guest,id=sev0 \
+     -machine ...,memory-encryption=sev0
+     .....
+
+@end example
 @end table
 
 ETEXI