From patchwork Wed Feb  7 16:06:20 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Brijesh Singh <brijesh.singh@amd.com>
X-Patchwork-Id: 10205597
Return-Path: 
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	835F16020F for <patchwork-qemu-devel@patchwork.kernel.org>;
	Wed,  7 Feb 2018 16:21:28 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 70E8A29084
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Wed,  7 Feb 2018 16:21:28 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 65731290C7; Wed,  7 Feb 2018 16:21:28 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAD_ENC_HEADER,BAYES_00,
	DKIM_SIGNED,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable
	version=3.3.1
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id ADF832909D
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Wed,  7 Feb 2018 16:21:27 +0000 (UTC)
Received: from localhost ([::1]:55960 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>)
	id 1ejSTO-0001oo-Ka for patchwork-qemu-devel@patchwork.kernel.org;
	Wed, 07 Feb 2018 11:21:26 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51593)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <brijesh.singh@amd.com>) id 1ejSFi-0005rO-2o
	for qemu-devel@nongnu.org; Wed, 07 Feb 2018 11:07:21 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <brijesh.singh@amd.com>) id 1ejSFe-0006tU-L6
	for qemu-devel@nongnu.org; Wed, 07 Feb 2018 11:07:18 -0500
Received: from mail-by2nam01on0040.outbound.protection.outlook.com
	([104.47.34.40]:29552
	helo=NAM01-BY2-obe.outbound.protection.outlook.com)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <brijesh.singh@amd.com>)
	id 1ejSFe-0006sp-Du
	for qemu-devel@nongnu.org; Wed, 07 Feb 2018 11:07:14 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=amdcloud.onmicrosoft.com; s=selector1-amd-com;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
	bh=K0rG+9OhEX2pAYXJhYpkvMIzreLnbL1Kngbvv5Wp/bM=;
	b=BKJhAGtDfQBdq2m6bc181jZM5caeBAZ7P7jDZGFdMI7Efrkt0/TDcSzo73G8w0qa7cYEFxqlKveGad3pqsuwVNv6ZxVxmIqXQrTkDG9fxN+zsL44t6xK8kkuPGdSVsBukrbDIF6tboNETEzobZz6P5KybGodEcyiFRhj+NQQAeI=
Authentication-Results: spf=none (sender IP is )
	smtp.mailfrom=brijesh.singh@amd.com;
Received: from wsp141597wss.amd.com (165.204.78.1) by
	CY1PR12MB0152.namprd12.prod.outlook.com (10.161.173.22) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
	15.20.464.11; Wed, 7 Feb 2018 16:07:09 +0000
From: Brijesh Singh <brijesh.singh@amd.com>
To: qemu-devel@nongnu.org
Date: Wed,  7 Feb 2018 10:06:20 -0600
Message-Id: <20180207160638.98872-8-brijesh.singh@amd.com>
X-Mailer: git-send-email 2.14.3
In-Reply-To: <20180207160638.98872-1-brijesh.singh@amd.com>
References: <20180207160638.98872-1-brijesh.singh@amd.com>
MIME-Version: 1.0
X-Originating-IP: [165.204.78.1]
X-ClientProxiedBy: DM3PR12CA0071.namprd12.prod.outlook.com (10.161.151.143)
	To CY1PR12MB0152.namprd12.prod.outlook.com (10.161.173.22)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: aea06ec9-d88b-4d41-4470-08d56e44d7f9
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0;
	RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(2017052603307)(7153060)(7193020);
	SRVR:CY1PR12MB0152;
X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0152;
	3:q9n0+lRVTi6ahBPHVzYqaYaCddLsi2tVn508gDDKR0OELiNrg0vfn/p2q7FdsYCvEHSASpOPb8qb7Z4hL3hR8YDxsfHSqycvtSKq0ZuqDlkhXsRHjCMcKxNOEfJ1cc7T2GhbpHlIC0CydXql1VJOooVMvm0f/cRQJDpDO/Jp/yASjS+/y2yVC4z7CUdqSlAlSfvmuWuFoU3s+d8D2uv/pN2QBP326HuL84UdFWwHaKkN31NV9VdRGyTeWUMIowPE;
	25:1AMPuJb0lbkx1Jut6WRzBuuRSPCesbGgz+oHCI8gS3cc8Z63HhEJYOCnub46+WfzdaVe7U3Sc7ayJ0cwAl93OEqRWw5YWal7kY1U0DE2OCNd0sFsQpcPiJ96XkCROrwg08NFkShDolHuQAkbaUYOqn+KiMZWsLNcuTQzaTRSkOz69ysn/VvT1KwFPLT0EUxo5VoHpomOExR1h1s3irMGbVemkM7dgbhnfSlH4i+6PDYNaz6fkW8sM1+ue13LA6LxBrjamWcj228s8/dt1DDPlr+FYYVR51T3Bp4KKaeM2B8ETwch/J4Etn9hqY1TDG6LSKT42tUoNOisZ2JPLMBSUA==;
	31:0uwLjEea+D8gPUb4+4jyz6m2uGTp9ouluzUqUlzwDDfHd+VewUzoV/VAlltOGq4VTwVxBDaOVPm82zrbHBznmWNcBCNzB63pvj3UGXaH10H5QuSEfBtzAbzfVKiUSfOr6tX4DJ9lraMpylZZOx/MvxlzTlgbbYT8/v0EPVOatDFHaPjtfEqbewsJHOuggSJH+o60YD7xLNrvUQJ3VRaLDjiXo36Io3nMYGhr6w7/SUs=
X-MS-TrafficTypeDiagnostic: CY1PR12MB0152:
X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0152;
	20:apRYXZo/McoukXy0fJRVDMYl/UMaUf1xfEfU16jEBNhTFzL4j6QMVrHMl4Ig0RXLbSAMkboj2XA5vZjEmCxN/p5JiqJ9PfrwjPvXgTyu9mgTi34cYDtjFqEhnhLppy2aeTOTt4gnqcDT4TD3rMVpBgzzFrGvsmCjkcQtXzSd32I9GwhyIbvC07guPCX17JSK/CenUUcmgLlSSywEQFWkQxy9IyoV5M/OscsFNUrZQWyOPpHf8zjO7d0s8XJ0jowe/iEpNOrFLcMi47FIadHwbxwlSXGf4tqt+dfT2+JitVVgUW3CH8BKsxtEVaWjhwMNfbuVrrncjZWv3A6I7jFrL8bZN5oSxlUmmlDCF2Wq/oQUqCtuddBCHNcbMVDLNF39sVfrijT+77E3lM5LGtEGEcUnG6RPWC96uyza3f9fhG3JRmrl00uPJyGZJh6LcOMj77EuDmSYHQ7+3S5RHr0raTaK+7SYx3JQNtGbPEERIX1TbOVLo7CC2WVBGajdPMwX;
	4:grAI/554SBt8Ds0w970pHIMnBXTNDJWSFM7NWots1e55oNtP5XSMNbpnpSMrE0D90uIRKqhHLOxnusFp2/IVKO3fSh6bXfyNquObn3BS4hPMcO2/9uX1XGMF1WvMjpUdWRKzuGVOLxXT/PWOMJTtPjRfzGWyFqUrfXV75LSkAMpp14oABmf7dpJL+299yLGW6y6Hqabi50g6AL3nYVBaslZAcKY5g7FckvyUHtrruIUM66OXmmrF4FD4hZXTAyWDeIL5Uv9TPD33ttN9jonvM80lq8vWb6T9pVAM8gNmESeNfQkPWGBtryzlTZO3+g+k
X-Microsoft-Antispam-PRVS: 
 <CY1PR12MB0152D95A725E562749ADF558E5FC0@CY1PR12MB0152.namprd12.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(767451399110);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0;
	RULEID:(6040501)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(3231101)(2400082)(944501161)(6055026)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(6072148)(201708071742011);
	SRVR:CY1PR12MB0152; BCL:0; PCL:0; RULEID:; SRVR:CY1PR12MB0152;
X-Forefront-PRVS: 0576145E86
X-Forefront-Antispam-Report: SFV:NSPM;
	SFS:(10009020)(39860400002)(366004)(39380400002)(346002)(396003)(376002)(199004)(189003)(6306002)(50226002)(68736007)(8666007)(51416003)(6916009)(7696005)(16526019)(1076002)(50466002)(6486002)(53416004)(7736002)(305945005)(53936002)(8656006)(8936002)(8676002)(7416002)(86362001)(4326008)(1720100001)(81156014)(81166006)(52116002)(6666003)(966005)(2950100002)(478600001)(2351001)(66066001)(16586007)(2906002)(54906003)(5660300001)(106356001)(2361001)(47776003)(48376002)(105586002)(3846002)(59450400001)(6116002)(36756003)(386003)(316002)(39060400002)(26005)(97736004)(186003)(76176011)(25786009);
	DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR12MB0152;
	H:wsp141597wss.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1;
	MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: amd.com does not designate
	permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY1PR12MB0152;
	23:RCHHFzU3dn716k25d/qKIKjWSuaWEUqKODlBQGcCj?=
	=?us-ascii?Q?6BASzCBxdPr6qkRroItr5ujfJXcE1kD1ejXwMm80WF7MQKWH5tIDc2IK1Jf6?=
	=?us-ascii?Q?olQI8QIFvLCrFEaKliJlVgDYGWdzQIkU3FyBZBFwrQ3r8ExogAjoSjwJ1Mbz?=
	=?us-ascii?Q?kM6oypQmyrAXleFesziJ49tMYuvErsgnQbmT/lFxxDtM0O0QKyuIedT719fs?=
	=?us-ascii?Q?g4TCirFckNoko4MO4EmZFTFgV8TpGkRoDvEUUfsUWlPKIyUGDhA9aBX28Ss8?=
	=?us-ascii?Q?Q3zrgtN6rlmQ1XDncEJmqGSmQ2Wbt2LzT3Ls8D4dFTX6R2MZdWOEQn5hT1RC?=
	=?us-ascii?Q?j+8wn6Pl3WSkAN4jS5aAuIimEaApPKd+5s3q1jcFc502MVaiOXw1A5skIPQS?=
	=?us-ascii?Q?L1eOkXxqajNzu3vMtv7U615pyhcUykXN48qYyvpIe4jDwMD/CYClqpmnb17E?=
	=?us-ascii?Q?CIdYGBdWyA+BxDDwcvWoXdYW5U3znypsYjwO1w9zFb2eevNHFClfNt6d9FFJ?=
	=?us-ascii?Q?mFdNYoVsaU+stHcWmsiNJmxjiBvuvsuiZ+ArKwINLzICB3LnA84DrIHCP3Ln?=
	=?us-ascii?Q?yil/SFMZP2+DFgoZBRww8QZu0Zh5GTIAOtodgPb8vaTBCWJ67igaH2Z2rAlf?=
	=?us-ascii?Q?ZLoeHgBuFFds2DL+hNjeFaOrJbyni6PLtCKaPAgAyoDhNT3m3iIBRG+b7Q3L?=
	=?us-ascii?Q?6rWf0b6mbPjK47D9WuuXG+2FXfpYXCV50gj5MTdaKgqDDKLONwuV3LBx4E86?=
	=?us-ascii?Q?IKgJQ1X1WG0J9ezHYPnzzpY/X2Pp1xhW2hMoTH44ejjQ3KB8L62zXPI65CT1?=
	=?us-ascii?Q?GnYO2hg5zDmDSO0RByMWABNYMaoVhEyZXjjV3Tqy+s/vxmgX2y3ADyYShqm6?=
	=?us-ascii?Q?6TgCCdLjQDR9XKeCrGTf72CDS2P1v0TsS3+0rl/CLV1iOS/YQlJtpQxOndMl?=
	=?us-ascii?Q?zBvBhKPKUvTDm/9YKz9IZI8lPuKU9BLZLxHELBVcdKJU79YQv9ROFARBEnNf?=
	=?us-ascii?Q?Iz6bZRlchuMADC3PwiOycaSWefUyGBI9kFmpK9m2p6AQBf6K8xCUhv9JeAZP?=
	=?us-ascii?Q?UzOlyKmEdefEBb0i+nFh++qiESq3JQmseDiYYaSIrB5xptOJx63gU+GtUZW6?=
	=?us-ascii?Q?CQSX6htYP+RuiYu/tz3pWLnIFnKFxjvKe21BnBbCw3qMqOEexylsmCpGlt8p?=
	=?us-ascii?Q?8zlMKNcUB1X6Q4rEIrj5sDEiFMCmO4jPG8bjnQpW1etKR7n1jDmjCsDqmW+r?=
	=?us-ascii?Q?f1GIE6zsdso8TXfgBB6bEnVUaGu+9LTDpVEFQvawgMRtNzuLhampZ3p1rqpY?=
	=?us-ascii?Q?1GZJUlPgOVRD6lRoyC8EEQP7mVYo+WOgRfX7rpVo94vMOFzti2yORy4b+4d4?=
	=?us-ascii?Q?jJVHQ=3D=3D?=
X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0152;
	6:pU7UtJWoJFqLbvfOjtaPVi0S5RFwp+1JN+e9qBj7CrpgpeGuaN6dA8/ZR1wrA8Hn1JkAJwzNSEk6o+Y0mVPyNNeo0Y2u3HEX+PGHi6Wd1Pm2YX/ejv2FQuXJgQI/iy8QoEk70nyWQQkr3U+O5jpqRjE0P0toXCkPRnitLjZIkk4YTfo43sdH7EmSSrwWBqIqpoLqCGX04yiw6l75ZLgg08LpfYGmBHY+0kOhgQmc3eV5UygDDEly0Bbn0OPTux36droSqnCIL5UlXCuWDhYUsHUhaVNUTVrdAUg8BR6q2dYTf+BsuHatB/LlzOnHekxCiq4Sx5odCYCIiis8s3GVWEX70d4PWI6IC2edfvKAGdo=;
	5:t3nABTjA2yQQIj3jXGIicw1LyC8LHNkwyP/RvcOerJUIaNv/rhhErDNeIr1zeI3RsM8AMNkmetbBMnf0Rt/XhmcZ7+GQ2x0ratQa5gjLacNIadMeizdVkWFbIONETb87N6ZrdqQpF0gndd/GB13j3N+6DLWIzAP53XLpdSRt+Ys=;
	24:tSBleLiLwD5nDCaD1yaCRkHwNuDKXo/pIjYDHWK6xVgBaDIMfPr80U6bpgj08qxQ2D2214p4dsfKvLY22nG/Fc5WYlEFTGoKyom82IIThf8=;
	7:jWENCDx7YGf1rzaBCGoFU5I9+1TRDvkABTQMjC4WXctGw02HKiUrxpRhBEOm+3Z3uJ0hSnzbVEsGTFSlbBdH04Q7oUoZ+0EDFfMu3pKbed1wbtnsqef42zF6k3JI937PMt/H1H54DHoY3G+4wQLY1RqFeQPWTkwekULSXw5nQNXchTl+qcAEoKz/+KSy3LlLfNPBEPo53nB5cKzDsowY/Tsuf+T9/Y9i428DCnHpYG9GDczLpwUL4Nyzi0xXdl3C
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; CY1PR12MB0152;
	20:3oiq+p/jMFF4L6ZQMA0DHWKYjevQ96sarGMy/mYf1XKF6ph5ReFgpXQt1FfEdw6+C5MJRvpKhaU8knmZS5sA8QEBIWW7jZm6yStNvwg1RfmX1VzP6rlIRdA307Jl24GGta0sy+stcXRKu4ds268gh87aG/c2zUHSpunLzgDTwSxr13oL8gq7gd6LR+YCuaFTGahywEwgOSGgtDuW4JvT2YKJjDqqjAvGyEh0mwu+j4UpegbzMPvRbrYBVTKn3x9g
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2018 16:07:09.3374
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 aea06ec9-d88b-4d41-4470-08d56e44d7f9
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR12MB0152
X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy]
X-Received-From: 104.47.34.40
Subject: [Qemu-devel] [PATCH v7 08/26] docs: add AMD Secure Encrypted
	Virtualization (SEV)
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>,
	Peter Maydell <peter.maydell@linaro.org>,
	Eduardo Habkost <ehabkost@redhat.com>, kvm@vger.kernel.org,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Marcel Apfelbaum <marcel@redhat.com>,
	Markus Armbruster <armbru@redhat.com>,
	Peter Crosthwaite <crosthwaite.peter@gmail.com>,
	Richard Henderson <richard.henderson@linaro.org>,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	Alistair Francis <alistair.francis@xilinx.com>,
	Christian Borntraeger <borntraeger@de.ibm.com>,
	Brijesh Singh <brijesh.singh@amd.com>,
	Stefan Hajnoczi <stefanha@gmail.com>,
	Cornelia Huck <cornelia.huck@de.ibm.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Thomas Lendacky <Thomas.Lendacky@amd.com>, Borislav Petkov <bp@suse.de>
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Create a documentation entry to describe the AMD Secure Encrypted
Virtualization (SEV) feature.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 docs/amd-memory-encryption.txt | 92 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 docs/amd-memory-encryption.txt

diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt
new file mode 100644
index 000000000000..72a92b6c6353
--- /dev/null
+++ b/docs/amd-memory-encryption.txt
@@ -0,0 +1,92 @@
+Secure Encrypted Virtualization (SEV) is a feature found on AMD processors.
+
+SEV is an extension to the AMD-V architecture which supports running encrypted
+virtual machine (VMs) under the control of KVM. Encrypted VMs have their pages
+(code and data) secured such that only the guest itself has access to the
+unencrypted version. Each encrypted VM is associated with a unique encryption
+key; if its data is accessed to a different entity using a different key the
+encrypted guests data will be incorrectly decrypted, leading to unintelligible
+data.
+
+The key management of this feature is handled by separate processor known as
+AMD secure processor (AMD-SP) which is present in AMD SOCs. Firmware running
+inside the AMD-SP provide commands to support common VM lifecycle. This
+includes commands for launching, snapshotting, migrating and debugging the
+encrypted guest. Those SEV command can be issued via KVM_MEMORY_ENCRYPT_OP
+ioctls.
+
+Launching
+---------
+Boot images (such as bios) must be encrypted before guest can be booted.
+MEMORY_ENCRYPT_OP ioctl provides commands to encrypt the images :LAUNCH_START,
+LAUNCH_UPDATE_DATA, LAUNCH_MEASURE and LAUNCH_FINISH. These four commands
+together generate a fresh memory encryption key for the VM, encrypt the boot
+images and provide a measurement than can be used as an attestation of the
+successful launch.
+
+LAUNCH_START is called first to create a cryptographic launch context within
+the firmware. To create this context, guest owner must provides guest policy,
+its public Diffie-Hellman key (PDH) and session parameters. These inputs
+should be treated as binary blob and must be passed as-is to the SEV firmware.
+
+The guest policy is passed as plaintext and hypervisor may able to read it
+but should not modify it (any modification of the policy bits will result
+in bad measurement). The guest policy is a 4-byte data structure containing
+several flags that restricts what can be done on running SEV guest.
+See KM Spec section 3 and 6.2 for more details.
+
+Guest owners provided DH certificate and session parameters will be used to
+establish a cryptographic session with the guest owner to negotiate keys used
+for the attestation.
+
+LAUNCH_UPDATE_DATA encrypts the memory region using the cryptographic context
+created via LAUNCH_START command. If required, this command can be called
+multiple times to encrypt different memory regions. The command also calculates
+the measurement of the memory contents as it encrypts.
+
+LAUNCH_MEASURE command can be used to retrieve the measurement of encrypted
+memory. This measurement is a signature of the memory contents that can be
+sent to the guest owner as an attestation that the memory was encrypted
+correctly by the firmware. The guest owner may wait to provide the guest
+confidential information until it can verify the attestation measurement.
+Since the guest owner knows the initial contents of the guest at boot, the
+attestation measurement can be verified by comparing it to what the guest owner
+expects.
+
+LAUNCH_FINISH command finalizes the guest launch and destroy's the cryptographic
+context.
+
+See SEV KM API Spec [1] 'Launching a guest' usage flow (Appendix A) for the
+complete flow chart.
+
+Debugging
+-----------
+Since memory contents of SEV guest is encrypted hence hypervisor access to the
+guest memory will get a cipher text. If guest policy allows debugging, then
+hypervisor can use DEBUG_DECRYPT and DEBUG_ENCRYPT commands access the guest
+memory region for debug purposes.
+
+Snapshot/Restore
+-----------------
+TODO
+
+Live Migration
+----------------
+TODO
+
+References
+-----------------
+
+AMD Memory Encryption whitepaper:
+http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf
+
+Secure Encrypted Virutualization Key Management:
+[1] http://support.amd.com/TechDocs/55766_SEV-KM API_Specification.pdf
+
+KVM Forum slides:
+http://www.linux-kvm.org/images/7/74/02x08A-Thomas_Lendacky-AMDs_Virtualizatoin_Memory_Encryption_Technology.pdf
+
+AMD64 Architecture Programmer's Manual:
+   http://support.amd.com/TechDocs/24593.pdf
+   SME is section 7.10
+   SEV is section 15.34