From patchwork Wed Mar  7 16:50:18 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Brijesh Singh <brijesh.singh@amd.com>
X-Patchwork-Id: 10264491
Return-Path: 
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	93730602C8 for <patchwork-qemu-devel@patchwork.kernel.org>;
	Wed,  7 Mar 2018 17:01:04 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 77E3329754
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Wed,  7 Mar 2018 17:01:04 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5C2B229770; Wed,  7 Mar 2018 17:01:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAD_ENC_HEADER,BAYES_00,
	DKIM_SIGNED,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable
	version=3.3.1
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 5D4D32976C
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Wed,  7 Mar 2018 17:01:03 +0000 (UTC)
Received: from localhost ([::1]:34398 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>)
	id 1etcR4-00066r-Ej for patchwork-qemu-devel@patchwork.kernel.org;
	Wed, 07 Mar 2018 12:01:02 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50290)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <brijesh.singh@amd.com>) id 1etcHe-0004hV-Rn
	for qemu-devel@nongnu.org; Wed, 07 Mar 2018 11:51:20 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <brijesh.singh@amd.com>) id 1etcHa-0008G6-Pp
	for qemu-devel@nongnu.org; Wed, 07 Mar 2018 11:51:18 -0500
Received: from mail-by2nam03on0062.outbound.protection.outlook.com
	([104.47.42.62]:59840
	helo=NAM03-BY2-obe.outbound.protection.outlook.com)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <brijesh.singh@amd.com>)
	id 1etcHa-0008Fi-9N
	for qemu-devel@nongnu.org; Wed, 07 Mar 2018 11:51:14 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=amdcloud.onmicrosoft.com; s=selector1-amd-com;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
	bh=sd4Hy7ZlpmJVF225+wlysgAl7RB6C1IWfOKiu26gdbo=;
	b=ZfOmX2UB8rt4/Zd08hRQnvzxPEu1mJJjDwcBfGXNSJMJZ9+3SKBkWwphHyBO8sMBO/nEHLOlS+fxXRBTiv5qnijmTp/Uc77kQxcvxuGrDKz/1JeXgQAHI4powPIykvf2hlZ5Cc0GwaLuEpCVjzsXXp+8UPuS9WEjF3VO7qJq7KI=
Authentication-Results: spf=none (sender IP is )
	smtp.mailfrom=brijesh.singh@amd.com;
Received: from wsp141597wss.amd.com (165.204.78.1) by
	SN1PR12MB0158.namprd12.prod.outlook.com (2a01:111:e400:5144::17) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13;
	Wed, 7 Mar 2018 16:51:08 +0000
From: Brijesh Singh <brijesh.singh@amd.com>
To: qemu-devel@nongnu.org
Date: Wed,  7 Mar 2018 10:50:18 -0600
Message-Id: <20180307165038.88640-9-brijesh.singh@amd.com>
X-Mailer: git-send-email 2.14.3
In-Reply-To: <20180307165038.88640-1-brijesh.singh@amd.com>
References: <20180307165038.88640-1-brijesh.singh@amd.com>
MIME-Version: 1.0
X-Originating-IP: [165.204.78.1]
X-ClientProxiedBy: SN4PR0501CA0095.namprd05.prod.outlook.com
	(2603:10b6:803:22::33) To SN1PR12MB0158.namprd12.prod.outlook.com
	(2a01:111:e400:5144::17)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 0c9b7347-4796-463f-d1cb-08d5844ba06e
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0;
	RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020);
	SRVR:SN1PR12MB0158;
X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158;
	3:9aCFqPh2ucUmHrNN6suPG5mhwfO2KoIcOqioXQudEkg8MCss6ZVv15vVjTmUSmAI5GY+nDpolnoMJeRm7DTnjIWGhilAhwUcmqgPcc8FKHtiKmB1aTdcq/ODX6meUM5hvqRjtLvoZnZoNPtO98BaQqkrzHEu9F3RYZbBbMKuK/Ub9i3QF8J0H1abnfM0YPptfbrRRzj7fGZK1nmuThCulQCx1c4fYuWBTm5Lp/lysoul6WstZn4D6kiFa2xRsuJf;
	25:/3+0+V9LJPnb+KHvqhuTlUIAcMFW6sYhfPDTaC66Uc6wRyX4x/ppNOW4VuvogkupU1NkpIAUSSA4/bCkeQZ0lLNsNqHwIFHVkR1gq3Kp3RXNO+Qpd/iHMjs2mUmW6K9EqQfXjb80vpXHC+CeA1ux/cGM/a2gPuY9wuJR20fVFQQooHYyW92shTRXxWKBPBGqUIwcmcgs25Ur0WX/9ZLJ6Abz9l7VArWvQ209Ur//mAwbeUQfcFPyl5u0449kurDE+Oo8sv4mnVkPmK8y/cQOtY3Q02ypftJWQsco8w5ia62OptMakoBNcdyswpJTlYcfvmM/YLbXqf7R197Kh66Svw==;
	31:onyALkbwKBtPHTdBd47KIEkD8kpMNqMCS2W3FD+Am4wHEoeLsXJyXrcDhxauWsFkFqDhN9t1VSIom2dmUDZNoZuRsL4IoF95j9PjGeWB3Fw5hbOPiN/hmKZXETuy5y5W3BgsIe3IiwcZG41qT8nGEfb02bJ25M3zV4eyMYVV/m35OHg04ntamI1Nxv1Y5n+qKxtYfT2ph5USrss96sd78Pahky8a0pwHWXSYiJ+FBHs=
X-MS-TrafficTypeDiagnostic: SN1PR12MB0158:
X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158;
	20:oyyNgxiAWb3HWzgeyIS0E+6tfkEr9bPwpqWlNyQkfb53Igtr6J0QutqdekCKdQAexADZNAnp1iActufKlRdhBKHS3JB0pgzIwAOVVAVWWuOjtvLDnpnY80NakxdROy0ZDNxpslxjuelYSodyL9MpaBcrj9TNEMXWVK7rOiHvfizEms1LOLnHAwa1pPJ/Jm2R70+geJaAdEZ9dcBnadlrKt0TKIazwpSnbfn7WdtGdIPwfFp+J33ADBDGOk8MzpJsEXgfGGh7R8qX4QEnD9U2hnNEoVYZxqWJxOgMkpXlKuxUY8rShgZ4BE7+t9H8DXWtNxl/puxyPiYv2BU1mKcmVkBbSTKZyHBVqJO7mbOMFVLWFk2jkOPsp+lzCCqbyJXoR4hgTjK2FwHFEDjA30DDKblMw7h5Tpf1lfoXqIkUsOkAuuHzKbicTOK/H4z5+TrpRbnxkfHsbjsYCVOwD/rwOtnRsfTncy1dau7tiXNUFNB4IO6dI6IEbKuydSOjS1NN;
	4:zyQUnaiqYOLApmV/jk7+yOOKxkz8QxKaYP5q1SIlPOG78FlHgpClZDIeMNEaZLGniIxSsLJvgc9Q4JKsHfSjwoCscNfRpiLiy288DZ/OdyuZMfBF+R5+ntbaWdqTdJ8Z5Dxo+vUxrG757qwZ/Aea+HaAajPFAO/KXAjLaqpE2VprbiRSiW+oQGTIeWfATo94ICcDwkSOpUeHztbX6Ln+uAMmcLQ6vtyhiyKK/Jqk6nuD9YV03SZT8Dvda4Tkh9bPaVe8M3MgCFXHd9T0jYg3hkC+SukSHwWykhaW7YSQLepWaeU1HKJQofejabaPjfmfP+OoonPgUxMvre7qBqgfBw==
X-Microsoft-Antispam-PRVS: 
 <SN1PR12MB01587E124DA0AA17BFBD4F9AE5D80@SN1PR12MB0158.namprd12.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(767451399110)(17755550239193);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0;
	RULEID:(8211001083)(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231220)(944501244)(52105095)(3002001)(6055026)(6041288)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123560045)(6072148)(201708071742011);
	SRVR:SN1PR12MB0158; BCL:0; PCL:0; RULEID:; SRVR:SN1PR12MB0158;
X-Forefront-PRVS: 0604AFA86B
X-Forefront-Antispam-Report: SFV:NSPM;
	SFS:(10009020)(39380400002)(39860400002)(376002)(346002)(396003)(366004)(189003)(199004)(53936002)(8666007)(2950100002)(6486002)(6666003)(6916009)(53416004)(3846002)(1076002)(6116002)(4326008)(54906003)(8656006)(2906002)(25786009)(59450400001)(386003)(68736007)(478600001)(48376002)(50466002)(105586002)(2361001)(2351001)(86362001)(66066001)(106356001)(47776003)(186003)(16526019)(51416003)(76176011)(52116002)(7696005)(26005)(16586007)(316002)(50226002)(8936002)(8676002)(81156014)(81166006)(36756003)(7416002)(97736004)(305945005)(7736002)(39060400002)(5660300001);
	DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR12MB0158;
	H:wsp141597wss.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1;
	A:1; LANG:en;
Received-SPF: None (protection.outlook.com: amd.com does not designate
	permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; SN1PR12MB0158;
	23:VOP82LukioVdXI+7PULQUyMdbGVjjkvYBLEm2Xz6D?=
	=?us-ascii?Q?03+L0F24Ar2kjIqwWIkheSOL6zWcpVQeQPzT+hzfZiz9YIzjsvabri9/F7k8?=
	=?us-ascii?Q?N6qYfcDq2825dqOQjjcYU5eJT3w6uUtxoJ6uWY4AUYXvTM/DwcKP7Di0kq0B?=
	=?us-ascii?Q?CrR1zT/4ZLbMx9L/MUimIIHQDN+lktXGl8nZfCs9ngIvck63rL+rQ56m3se7?=
	=?us-ascii?Q?OZLhwl15KCzp2Gfx5XaNBb7BhX2F/B0moosgPrujQ4C9MA1kRw33soGqFp9J?=
	=?us-ascii?Q?zcovOJjI3/FYW/Um5vwMEIZ6pBlCWuRSejIGAFCQPBLtwFbVyo2juMa3yAcp?=
	=?us-ascii?Q?1dXpj66sIrqatxCM3aBjt3UBrfbUdmzXteZlVaUmrNk5jcB04zfJKtZs1aP+?=
	=?us-ascii?Q?x9wMuS8XcJw97zBl6RZUpV8n8cALHX4yGIyDIw+DktOHrIK0sZRCQkrERxJW?=
	=?us-ascii?Q?dppnH/dPO5gCfL8u44PKNiIV5ezYME9Vtsl5cECUrB+V08mV0L9sghHHckmV?=
	=?us-ascii?Q?4DA9HRWY9abI+OMbN0MocZqxg9IrGfJE+o4kotUNkhJ/QKx7hN85a5LVlMf1?=
	=?us-ascii?Q?yRhpHoN7VrJK5HaTxqKmu8ItktYTgfaTXOwlM8Nc0nngRIOwuUUow/OxEeN9?=
	=?us-ascii?Q?aqY8cWiqbin4TF+aqw3ahkwOsdCd6LxGYTJQB5slONc0Q5f5bh74nJBifqC8?=
	=?us-ascii?Q?v1oaFqjkM4QSb1cPUsD6Om2qtYfqFVgGlHpidf11MZkx2W7T0f/+ZRy+doFA?=
	=?us-ascii?Q?AyQNiQvs3mU5lGr23BbFwk/X9ryc2uAxdjsug78LbqsUKGS2q8+wma4V37Fh?=
	=?us-ascii?Q?+3i91JYzMKpFtAyC5Id/0cd/VpL7SLIXmq5+9luB42HYT2wO4WLj8EWDhqs9?=
	=?us-ascii?Q?T/dji5ik8L4YBKn7dO6/hVz3fURg8Reqg6Pues/bsp/I1R+7v+5lpqJQTL/U?=
	=?us-ascii?Q?AgMUf5jZM12AT7j5ib/qFd5Yas/WeRxcM6YfodswDnuTxtPfSJlUeNxnSjKN?=
	=?us-ascii?Q?Y0rgDaP7Eu7T/e1oY+g0JsJ23wrppF/PeqwPYil1yjco8SxK7mYoCJrHmROh?=
	=?us-ascii?Q?PDW5T9YLb3JRvmU7c3e/IP1RwY5/ZyiRr5+CvuqpHiXx2+lJjcoNRjkuyFh0?=
	=?us-ascii?Q?NpaqTKdDCQFI2KPnTF8fuxOHXmK/89I+22W2p5qYYQ4iy4igEytl3mA4Kf4J?=
	=?us-ascii?Q?fNsbRQzbu/yeLZQQFNuuP3piQGvxX1g76TxUe/bxQ2IvkJULiq6Dc17tnCx3?=
	=?us-ascii?Q?Iuwn3n55SKZgPu+h8F0sdjlWUZbMGELWxCz2S5/WfbYC9tV4y5WK9nzbn6t2?=
	=?us-ascii?B?dz09?=
X-Microsoft-Antispam-Message-Info: 
 KUfgFYe0jme5bj+td7uY3vs9cepcEyfGL6zWvbe3hxgtTqJf2Rq+f+ulIXWqrIWCTSKKTC28Im9LNoOv6Yw4Chro2HTX9mZMXylt4NuIl+ejyQDiLGlHpVklqDWMnMXHMJSOAVe9nOEjQQmKz+MPBk67M51IztggmINRFHosDAAS/uZ6jNXxMlv+472nTQN2
X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158;
	6:3Wd023dEdtXSjB8fKzoBN0JTLlYM9gqRIeO8z8jcKbEkaYTaCA2a8siQk1ndy4ZG+O0bsbF3EJAZKQByZYIEv7fXj+dM8HlUWQOEpl5Dy00YH45cYYa9g6TEH2uidemuXBs/j3pIe73+vBP47KFeAaEL+Rl644FsD4W9wcBzkqBO4EfPvOxgbdD9+rZgRnA9UQKvzHxhPwwsM4eSMs5twxUXSx9S0HwRLigsu8qw8K1XmVNG2Mwx8Km8pEYs2cflSqiAXIyL01/tEvI0MUwEweqpoLk516qyTknxIpswFc4DbCTbQNfus2kLGFnwJ20aq5cFqL8HcAj2sg3FcpAv8aacLzGfkOKywcVYZx4YvM0=;
	5:HMm4QbBdgxtPB3Xr0GEkT9dT1BkmIZTktPsPobO8s4mcyFP3ABdiSUt+WUri8MPaC7KwSzvGER2vknhGgD6iPlYhW6Lu/VnZqv64Jd0I0MULJeAs96vJ/mnpMGC8SOf/n9CM11is08BsJLlXkPNG0trc5fvti1ZIyipaCvIgtQ4=;
	24:PYTgqKOjVnhPUlotGxpycVksAlhwCh+1vvHw+zYTwCviP8HYaW7q5iOfheabKjnhPTCJcC71t5uObfsJ8ToUARMQN1TlTYlCY+mo28CKSaU=;
	7:655xgkvwPUBXbgw1m7hNxTovXStQsxLfnTvxLbBTEyROi5rahqtbWA+v9FOTO3A7M4EbLn11UFD6Vyv769WfB9zpIk1Qgui1nECG4EjSKaxYsF3SZI3tJXTkej1DNJ3MOqQkSreyRR1JAKpp6xpemQW2RTHbhdeNqFWyVXRMr8CIwXG/vLt2JG2vmx8u1JGd5osQhxgZqtZgW0rL55uz6XADk6yT7nW6T6Tc7lJGIkbzVuY1yoNNhFTicipK4kiC
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0158;
	20:jAN/yVWvKig/FtNfW/EFo3Y0nG7hSA5xQo4ebo19qsFu52ixeG4iOsl9fiwp4mcsS5kSgNK0ghV7upI27nC0MO8y5O+BOx68GeuWx4b4bdCdh9Bcjx8AGgetdKzQ/9onQGOgSEVAy5ZyX3oy+0BK4Utfe/pp4gsQaO/qFJUXqSV73ccvLILEpwHUjaODjTJ9evkPgXAnfEc7kcPm4pDR9zLDMjgnmlUvZxkOu8F/HzpY7pPgASEAQJPCtUkhjYoM
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Mar 2018 16:51:08.3542
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 0c9b7347-4796-463f-d1cb-08d5844ba06e
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB0158
X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy]
X-Received-From: 104.47.42.62
Subject: [Qemu-devel] [PATCH v11 08/28] target/i386: add Secure Encrypted
	Virtulization (SEV) object
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Peter Maydell <peter.maydell@linaro.org>,
	Brijesh Singh <brijesh.singh@amd.com>, kvm@vger.kernel.org,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Stefan Hajnoczi <stefanha@gmail.com>, Alexander Graf <agraf@suse.de>,
	"Edgar E. Iglesias" <edgar.iglesias@xilinx.com>,
	Markus Armbruster <armbru@redhat.com>, Bruce Rogers <brogers@suse.com>,
	Christian Borntraeger <borntraeger@de.ibm.com>,
	Marcel Apfelbaum <marcel@redhat.com>, Borislav Petkov <bp@suse.de>,
	Thomas Lendacky <Thomas.Lendacky@amd.com>,
	Eduardo Habkost <ehabkost@redhat.com>,
	Richard Henderson <richard.henderson@linaro.org>,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	Alistair Francis <alistair.francis@xilinx.com>,
	Cornelia Huck <cornelia.huck@de.ibm.com>,
	Richard Henderson <rth@twiddle.net>,
	Peter Crosthwaite <crosthwaite.peter@gmail.com>,
	Paolo Bonzini <pbonzini@redhat.com>
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Add a new memory encryption object 'sev-guest'. The object will be used
to create enrypted VMs on AMD EPYC CPU. The object provides the properties
to pass guest owner's public Diffie-hellman key, guest policy and session
information required to create the memory encryption context within the
SEV firmware.

e.g to launch SEV guest
 # $QEMU \
    -object sev-guest,id=sev0 \
    -machine ....,memory-encryption=sev0

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 docs/amd-memory-encryption.txt |  17 +++
 qemu-options.hx                |  44 ++++++++
 target/i386/Makefile.objs      |   2 +-
 target/i386/sev.c              | 228 +++++++++++++++++++++++++++++++++++++++++
 target/i386/sev_i386.h         |  61 +++++++++++
 5 files changed, 351 insertions(+), 1 deletion(-)
 create mode 100644 target/i386/sev.c
 create mode 100644 target/i386/sev_i386.h

diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt
index 72a92b6c6353..05266fd41b23 100644
--- a/docs/amd-memory-encryption.txt
+++ b/docs/amd-memory-encryption.txt
@@ -35,10 +35,21 @@ in bad measurement). The guest policy is a 4-byte data structure containing
 several flags that restricts what can be done on running SEV guest.
 See KM Spec section 3 and 6.2 for more details.
 
+The guest policy can be provided via the 'policy' property (see below)
+
+# ${QEMU} \
+   sev-guest,id=sev0,policy=0x1...\
+
 Guest owners provided DH certificate and session parameters will be used to
 establish a cryptographic session with the guest owner to negotiate keys used
 for the attestation.
 
+The DH certificate and session blob can be provided via 'dh-cert-file' and
+'session-file' property (see below
+
+# ${QEMU} \
+     sev-guest,id=sev0,dh-cert-file=<file1>,session-file=<file2>
+
 LAUNCH_UPDATE_DATA encrypts the memory region using the cryptographic context
 created via LAUNCH_START command. If required, this command can be called
 multiple times to encrypt different memory regions. The command also calculates
@@ -59,6 +70,12 @@ context.
 See SEV KM API Spec [1] 'Launching a guest' usage flow (Appendix A) for the
 complete flow chart.
 
+To launch a SEV guest
+
+# ${QEMU} \
+    -machine ...,memory-encryption=sev0 \
+    -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1
+
 Debugging
 -----------
 Since memory contents of SEV guest is encrypted hence hypervisor access to the
diff --git a/qemu-options.hx b/qemu-options.hx
index c157946af308..1808593221ba 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4356,6 +4356,50 @@ contents of @code{iv.b64} to the second secret
          data=$SECRET,iv=$(<iv.b64)
 @end example
 
+@item -object sev-guest,id=@var{id},cbitpos=@var{cbitpos},reduced-phys-bits=@var{val},[sev-device=@var{string},policy=@var{policy},handle=@var{handle},dh-cert-file=@var{file},session-file=@var{file}]
+
+Create a Secure Encrypted Virtualization (SEV) guest object, which can be used
+to provide the guest memory encryption support on AMD processors.
+
+When memory encryption is enabled, one of the physical address bit (aka the
+C-bit) is utilized to mark if a memory page is protected. The @option{cbitpos}
+is used to provide the C-bit position. The C-bit position is Host family dependent
+hence user must provide this value. On EPYC, the value should be 47.
+
+When memory encryption is enabled, we loose certain bits in physical address space.
+The @option{reduced-phys-bits} is used to provide the number of bits we loose in
+physical address space. Similar to C-bit, the value is Host family dependent.
+On EPYC, the value should be 5.
+
+The @option{sev-device} provides the device file to use for communicating with
+the SEV firmware running inside AMD Secure Processor. The default device is
+'/dev/sev'. If hardware supports memory encryption then /dev/sev devices are
+created by CCP driver.
+
+The @option{policy} provides the guest policy to be enforced by the SEV firmware
+and restrict what configuration and operational commands can be performed on this
+guest by the hypervisor. The policy should be provided by the guest owner and is
+bound to the guest and cannot be changed throughout the lifetime of the guest.
+The default is 0.
+
+If guest @option{policy} allows sharing the key with another SEV guest then
+@option{handle} can be use to provide handle of the guest from which to share
+the key.
+
+The @option{dh-cert-file} and @option{session-file} provides the guest owner's
+Public Diffie-Hillman key defined in SEV spec. The PDH and session parameters
+are used for establishing a cryptographic session with the guest owner to
+negotiate keys used for attestation. The file must be encoded in base64.
+
+e.g to launch a SEV guest
+@example
+ # $QEMU \
+     ......
+     -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=5 \
+     -machine ...,memory-encryption=sev0
+     .....
+
+@end example
 @end table
 
 ETEXI
diff --git a/target/i386/Makefile.objs b/target/i386/Makefile.objs
index f5c6ef20a7bb..76aeaeae2750 100644
--- a/target/i386/Makefile.objs
+++ b/target/i386/Makefile.objs
@@ -4,7 +4,7 @@ obj-$(CONFIG_TCG) += bpt_helper.o cc_helper.o excp_helper.o fpu_helper.o
 obj-$(CONFIG_TCG) += int_helper.o mem_helper.o misc_helper.o mpx_helper.o
 obj-$(CONFIG_TCG) += seg_helper.o smm_helper.o svm_helper.o
 obj-$(CONFIG_SOFTMMU) += machine.o arch_memory_mapping.o arch_dump.o monitor.o
-obj-$(CONFIG_KVM) += kvm.o hyperv.o
+obj-$(CONFIG_KVM) += kvm.o hyperv.o sev.o
 obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o
 # HAX support
 ifdef CONFIG_WIN32
diff --git a/target/i386/sev.c b/target/i386/sev.c
new file mode 100644
index 000000000000..ab42e4a456d2
--- /dev/null
+++ b/target/i386/sev.c
@@ -0,0 +1,228 @@
+/*
+ * QEMU SEV support
+ *
+ * Copyright Advanced Micro Devices 2016-2018
+ *
+ * Author:
+ *      Brijesh Singh <brijesh.singh@amd.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qom/object_interfaces.h"
+#include "qemu/base64.h"
+#include "sysemu/kvm.h"
+#include "sev_i386.h"
+#include "sysemu/sysemu.h"
+
+#define DEFAULT_GUEST_POLICY    0x1 /* disable debug */
+#define DEFAULT_SEV_DEVICE      "/dev/sev"
+
+static void
+qsev_guest_finalize(Object *obj)
+{
+}
+
+static char *
+qsev_guest_get_session_file(Object *obj, Error **errp)
+{
+    QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
+
+    return s->session_file ? g_strdup(s->session_file) : NULL;
+}
+
+static void
+qsev_guest_set_session_file(Object *obj, const char *value, Error **errp)
+{
+    QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
+
+    s->session_file = g_strdup(value);
+}
+
+static char *
+qsev_guest_get_dh_cert_file(Object *obj, Error **errp)
+{
+    QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
+
+    return g_strdup(s->dh_cert_file);
+}
+
+static void
+qsev_guest_set_dh_cert_file(Object *obj, const char *value, Error **errp)
+{
+    QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
+
+    s->dh_cert_file = g_strdup(value);
+}
+
+static char *
+qsev_guest_get_sev_device(Object *obj, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    return g_strdup(sev->sev_device);
+}
+
+static void
+qsev_guest_set_sev_device(Object *obj, const char *value, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    sev->sev_device = g_strdup(value);
+}
+
+static void
+qsev_guest_class_init(ObjectClass *oc, void *data)
+{
+    object_class_property_add_str(oc, "sev-device",
+                                  qsev_guest_get_sev_device,
+                                  qsev_guest_set_sev_device,
+                                  NULL);
+    object_class_property_set_description(oc, "sev-device",
+            "SEV device to use", NULL);
+    object_class_property_add_str(oc, "dh-cert-file",
+                                  qsev_guest_get_dh_cert_file,
+                                  qsev_guest_set_dh_cert_file,
+                                  NULL);
+    object_class_property_set_description(oc, "dh-cert-file",
+            "guest owners DH certificate (encoded with base64)", NULL);
+    object_class_property_add_str(oc, "session-file",
+                                  qsev_guest_get_session_file,
+                                  qsev_guest_set_session_file,
+                                  NULL);
+    object_class_property_set_description(oc, "session-file",
+            "guest owners session parameters (encoded with base64)", NULL);
+}
+
+static void
+qsev_guest_set_handle(Object *obj, Visitor *v, const char *name,
+                      void *opaque, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+    uint32_t value;
+
+    visit_type_uint32(v, name, &value, errp);
+    sev->handle = value;
+}
+
+static void
+qsev_guest_set_policy(Object *obj, Visitor *v, const char *name,
+                      void *opaque, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+    uint32_t value;
+
+    visit_type_uint32(v, name, &value, errp);
+    sev->policy = value;
+}
+
+static void
+qsev_guest_set_cbitpos(Object *obj, Visitor *v, const char *name,
+                       void *opaque, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+    uint32_t value;
+
+    visit_type_uint32(v, name, &value, errp);
+    sev->cbitpos = value;
+}
+
+static void
+qsev_guest_set_reduced_phys_bits(Object *obj, Visitor *v, const char *name,
+                                   void *opaque, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+    uint32_t value;
+
+    visit_type_uint32(v, name, &value, errp);
+    sev->reduced_phys_bits = value;
+}
+
+static void
+qsev_guest_get_policy(Object *obj, Visitor *v, const char *name,
+                      void *opaque, Error **errp)
+{
+    uint32_t value;
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    value = sev->policy;
+    visit_type_uint32(v, name, &value, errp);
+}
+
+static void
+qsev_guest_get_handle(Object *obj, Visitor *v, const char *name,
+                      void *opaque, Error **errp)
+{
+    uint32_t value;
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    value = sev->handle;
+    visit_type_uint32(v, name, &value, errp);
+}
+
+static void
+qsev_guest_get_cbitpos(Object *obj, Visitor *v, const char *name,
+                       void *opaque, Error **errp)
+{
+    uint32_t value;
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    value = sev->cbitpos;
+    visit_type_uint32(v, name, &value, errp);
+}
+
+static void
+qsev_guest_get_reduced_phys_bits(Object *obj, Visitor *v, const char *name,
+                                   void *opaque, Error **errp)
+{
+    uint32_t value;
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    value = sev->reduced_phys_bits;
+    visit_type_uint32(v, name, &value, errp);
+}
+
+static void
+qsev_guest_init(Object *obj)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE);
+    sev->policy = DEFAULT_GUEST_POLICY;
+    object_property_add(obj, "policy", "uint32", qsev_guest_get_policy,
+                        qsev_guest_set_policy, NULL, NULL, NULL);
+    object_property_add(obj, "handle", "uint32", qsev_guest_get_handle,
+                        qsev_guest_set_handle, NULL, NULL, NULL);
+    object_property_add(obj, "cbitpos", "uint32", qsev_guest_get_cbitpos,
+                        qsev_guest_set_cbitpos, NULL, NULL, NULL);
+    object_property_add(obj, "reduced-phys-bits", "uint32",
+                        qsev_guest_get_reduced_phys_bits,
+                        qsev_guest_set_reduced_phys_bits, NULL, NULL, NULL);
+}
+
+/* sev guest info */
+static const TypeInfo qsev_guest_info = {
+    .parent = TYPE_OBJECT,
+    .name = TYPE_QSEV_GUEST_INFO,
+    .instance_size = sizeof(QSevGuestInfo),
+    .instance_finalize = qsev_guest_finalize,
+    .class_size = sizeof(QSevGuestInfoClass),
+    .class_init = qsev_guest_class_init,
+    .instance_init = qsev_guest_init,
+    .interfaces = (InterfaceInfo[]) {
+        { TYPE_USER_CREATABLE },
+        { }
+    }
+};
+
+static void
+sev_register_types(void)
+{
+    type_register_static(&qsev_guest_info);
+}
+
+type_init(sev_register_types);
diff --git a/target/i386/sev_i386.h b/target/i386/sev_i386.h
new file mode 100644
index 000000000000..caf879c3b874
--- /dev/null
+++ b/target/i386/sev_i386.h
@@ -0,0 +1,61 @@
+/*
+ * QEMU Secure Encrypted Virutualization (SEV) support
+ *
+ * Copyright: Advanced Micro Devices, 2016-2018
+ *
+ * Authors:
+ *  Brijesh Singh <brijesh.singh@amd.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef QEMU_SEV_I386_H
+#define QEMU_SEV_I386_H
+
+#include "qom/object.h"
+#include "qapi/error.h"
+#include "sysemu/kvm.h"
+#include "qemu/error-report.h"
+
+#define SEV_POLICY_NODBG        0x1
+#define SEV_POLICY_NOKS         0x2
+#define SEV_POLICY_ES           0x4
+#define SEV_POLICY_NOSEND       0x8
+#define SEV_POLICY_DOMAIN       0x10
+#define SEV_POLICY_SEV          0x20
+
+#define TYPE_QSEV_GUEST_INFO "sev-guest"
+#define QSEV_GUEST_INFO(obj)                  \
+    OBJECT_CHECK(QSevGuestInfo, (obj), TYPE_QSEV_GUEST_INFO)
+
+typedef struct QSevGuestInfo QSevGuestInfo;
+typedef struct QSevGuestInfoClass QSevGuestInfoClass;
+
+/**
+ * QSevGuestInfo:
+ *
+ * The QSevGuestInfo object is used for creating a SEV guest.
+ *
+ * # $QEMU \
+ *         -object sev-guest,id=sev0 \
+ *         -machine ...,memory-encryption=sev0
+ */
+struct QSevGuestInfo {
+    Object parent_obj;
+
+    char *sev_device;
+    uint32_t policy;
+    uint32_t handle;
+    char *dh_cert_file;
+    char *session_file;
+    uint32_t cbitpos;
+    uint32_t reduced_phys_bits;
+};
+
+struct QSevGuestInfoClass {
+    ObjectClass parent_class;
+};
+
+#endif