From patchwork Thu Feb 15 15:39:34 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Brijesh Singh <brijesh.singh@amd.com>
X-Patchwork-Id: 873946
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=nongnu.org
	(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;
	envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=amdcloud.onmicrosoft.com
	header.i=@amdcloud.onmicrosoft.com header.b="wzbHSuy3";
	dkim-atps=neutral
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3zj0z71GyGz9t3Z
	for <incoming@patchwork.ozlabs.org>;
	Fri, 16 Feb 2018 02:47:47 +1100 (AEDT)
Received: from localhost ([::1]:60761 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1emLlB-00016r-3z
	for incoming@patchwork.ozlabs.org; Thu, 15 Feb 2018 10:47:45 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35665)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <brijesh.singh@amd.com>) id 1emLeN-0004Bn-Jp
	for qemu-devel@nongnu.org; Thu, 15 Feb 2018 10:40:45 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <brijesh.singh@amd.com>) id 1emLeJ-0003RB-Cd
	for qemu-devel@nongnu.org; Thu, 15 Feb 2018 10:40:43 -0500
Received: from mail-cys01nam02on0079.outbound.protection.outlook.com
	([104.47.37.79]:65428
	helo=NAM02-CY1-obe.outbound.protection.outlook.com)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <brijesh.singh@amd.com>)
	id 1emLeJ-0003Qp-10
	for qemu-devel@nongnu.org; Thu, 15 Feb 2018 10:40:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=amdcloud.onmicrosoft.com; s=selector1-amd-com;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
	bh=dFrpmeVdA6YrSpVbECYbh8A/7vMZr/EuHMyKq//LB08=;
	b=wzbHSuy3IK7GIuhyMdBqHvWxvLO1b5cORx6TnCSSJjLbetnqf43K376vdHGcKGyp1sJgmxyEaKLnaGBAfrtb91K9NdkTvCE7nsY/wNaCEgr8mxP3NIrz/5Pt46JVnIeMO/eHx0iIalb3SEgvaXM3JMOeXSkWPsYia5CoY5PO87M=
Authentication-Results: spf=none (sender IP is )
	smtp.mailfrom=brijesh.singh@amd.com;
Received: from wsp141597wss.amd.com (165.204.78.1) by
	SN1PR12MB0157.namprd12.prod.outlook.com (10.162.3.144) with Microsoft
	SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
	15.20.506.18; Thu, 15 Feb 2018 15:40:33 +0000
From: Brijesh Singh <brijesh.singh@amd.com>
To: qemu-devel@nongnu.org
Date: Thu, 15 Feb 2018 09:39:34 -0600
Message-Id: <20180215153955.3253-9-brijesh.singh@amd.com>
X-Mailer: git-send-email 2.14.3
In-Reply-To: <20180215153955.3253-1-brijesh.singh@amd.com>
References: <20180215153955.3253-1-brijesh.singh@amd.com>
MIME-Version: 1.0
X-Originating-IP: [165.204.78.1]
X-ClientProxiedBy: CY4PR04CA0044.namprd04.prod.outlook.com (10.172.133.30) To
	SN1PR12MB0157.namprd12.prod.outlook.com (10.162.3.144)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: fa9179b8-cc50-4986-6064-08d5748a749a
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0;
	RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(2017052603307)(7153060)(7193020);
	SRVR:SN1PR12MB0157;
X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0157;
	3:nM9PFjIDfPZtDu2rzbC6yYqQs45fihFpT4uenjexrOEjN8uwCutFHA/FY3S13HY1LJKtTdf1toNmmlXyx4b1Ckc0JzyHJ9gb0z1HNITnuJT6trvkUScTw+HKksMIolDFSBNJ0MES8xSJHbDcujWDJxo9bsZyuPYBu8dSQY8w89G3rs3M0TRz1N2mX45eEyCQaHAqrFFcZZOPl/ANo5sw3ajmCG4psBfycfZMJ4tnuXQqhhMToksYxhcAJXSj4UaO;
	25:dPjXBNm+KCzGvyYehjQNvc1pZ6SEfeez/39QJ0uLUJAfvUbdH7KeqENlARFEPf87NcNXI4aV60n+Wfgq66tqOcIilFEtIC0KzThRFvIDoylSdqj4ZWIc3STnSdCs6ciPdP7TOyWNqkSpKTiYPwRpJyL5znP+KS+Zef4KNq2DqbmI6/aZ9m1ZBowima38Yf6bMJZm7ioVdwaAYz0lkAwIxiam+BZmfkFQck2kryUHtzDiiZmdhLxIxhNLgjnCTTzPHhLAeQqRC6FWTebAGrdN9ElfNQkhG8RrF+OSAjW2b/UZGDOynmmroWO48TO0N5HnFvHXEp8w5DIDcg9KdB2KxQ==;
	31:k/WuMKsHtPjtty6PLNxIxBVEpVFBV9y7ajhKf9tX/bgjnSaMFYKXBPrSHSZ8l1dnnxY3vBnCHtwLQCmda+APG+gQVaqka31603/6q+IsoJQc2l4Q5SDl8SwsT83klVR8JMze/YXTQrNJQE3knjLRhwLTxhu37TaUqZhMux7OUougWh74c7rSUJuPEkH34IsWyWxFcoFqalYGaht+y4FH5Q0t8UnXJp6ncoCz6dQxt2g=
X-MS-TrafficTypeDiagnostic: SN1PR12MB0157:
X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0157;
	20:fK/H5nfXGofdTbDPIfugtGP7aY2EHPLkQDrT8uzoxlU9MJHZaIzvTpVXUvCXZrX+ZvnOiLz/2F/RSq1gq5yFoIr3c1aUXldbgcQwQRxJtoTXw5IULMO405ZHN2wOiomf5HrwI90BqpPOUvPDSVkcHFJN8O6MVonDDAIssAw8bM39WXFJXLkc3yJHZcMCNd0Jp1qLPfWEyDM9IY9Sxtzkyo5YTUvyMqwAmzNjVJsUoMVXxODBw8yiWdFXkb2Ooq8K0Ue7OzN3KZfzC9+fcuCZqUhyadelJbxZjqRGX0I81rjotgDciDK+EP+VaOG/ojNW+ASc12wuJmODjViEnGQ4Uqyu0fz3zE/137trTubUMJdxv1QOSD+NDuux1j3QHNCbDny+ukQ2an2RdBkq4LzH0Lssp8AvFzHLMMciw0mMQr5evevYRQrildbCgIKcv15tFeuzW9aTaGzSiveNfhD3lRy7jFKZWNL/LVuo/qQC7zDlubmbfdzj6F4PR5XtsGC1;
	4:crycewuBO+vgIpQUR2xn1N/hSOpyUvXcMzfL1g+88wsz3XJZ2bzzWXicY39+DWq5dCPDxVLt+IDWiM6uUcHJ0SjpvGDZnZdd1SXELicVFtRFozOefX0+ONPQ2faaUOakcqoQhn+yN86IOFWCmCfR8VSr1f5uoUhmv0pscZZymK7rbl8uI6C5BkHlSbw9slfaTZ81TGoqypp19xlEDvqSHGbccDB9n83IPgSozhPZTlc0PqK4xYP4cutXT2VtgnT38fBzOxc054f2MLehzmQkK08w3YW5PEqxamywwO4YB1lPgsBSx+V6Gn8Dlv74txkClmwAE2AFmkVIbj1NjPFj6g==
X-Microsoft-Antispam-PRVS: 
 <SN1PR12MB0157AF380CD5CAC054BFB807E5F40@SN1PR12MB0157.namprd12.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(767451399110)(17755550239193);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0;
	RULEID:(6040501)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(93001095)(3231101)(944501161)(6055026)(6041288)(20161123562045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(6072148)(201708071742011);
	SRVR:SN1PR12MB0157; BCL:0; PCL:0; RULEID:; SRVR:SN1PR12MB0157;
X-Forefront-PRVS: 058441C12A
X-Forefront-Antispam-Report: SFV:NSPM;
	SFS:(10009020)(376002)(39380400002)(346002)(396003)(39860400002)(366004)(189003)(199004)(26005)(3846002)(386003)(8936002)(5660300001)(186003)(16526019)(316002)(8666007)(1076002)(54906003)(6116002)(48376002)(50466002)(7416002)(478600001)(59450400001)(8676002)(68736007)(86362001)(16586007)(2906002)(50226002)(39060400002)(2351001)(6916009)(7736002)(106356001)(51416003)(8656006)(52116002)(25786009)(4326008)(97736004)(2950100002)(6486002)(2361001)(36756003)(76176011)(81166006)(53416004)(66066001)(53936002)(81156014)(47776003)(305945005)(105586002)(7696005);
	DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR12MB0157;
	H:wsp141597wss.amd.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1;
	A:1; LANG:en;
Received-SPF: None (protection.outlook.com: amd.com does not designate
	permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; SN1PR12MB0157;
	23:NCLnMjKF1EcSzTANmjn7Z8X2dMbvaZ9uYBmsz51Ck?=
	wNEdGy1VnyBWVfxl4Liq7rY5KZXTmSplQXWnXRd2pWdC3eDr+UenbMo+OFvahYMjcB4KxjpSGfoHxFluarpXgVpDlYmjjwJP57TbxHd2AmwcYYgWpJi8oHz7G1vXK33Zjc3Ud1iBugTDXe29Qbxd5n4UlKLyTjzEIg548l3BCHhovrYu3OhiRpXHLHDyogtR3xzUyuyLigvUUIFJO7CCdljjQyxSAUNKungPtdv83Ep2hwlr/oSRwDvRurZPGzzQ/MeUcAI2tMr9f2vOfu4OEn8R/uYo+RFy/YX5k25e2Yq8SSDrwvZUTOhxvVxelHUhAQ+foBZAAtQ2FvZF56EGakwKY+ypT1i8lO+k9NUD13iGQIvVMcfMTvpYMqmH3hnelX05vsRkhYxaCwpo9pLTsvlu/OYUrxPGYA8K3+q2iezur9YIBPwgrQJcLyefUDjcY5PMRV9XdvnT8bsdNJrdomiCvv0AOalUBbkF5/3piPYRWTiBWhd66lliwTe5N1DccmlN2CpKZPssjGj+Oj02oEx4SahgvMobKzxTQ4viYYBFaMRo8a44qirCPp3/9dZSPFUwPQYeP1T4wEd5VJhIoT0f5pBLyqpjK6R7HFSIsJTRzIb29B24BQpM9XVdFpDZErM28HGyzJ9FgQPY6GoIXfRVk+UzhC9NyP/FXpl3vZT/hLGM0PE1zBYk72kLYano/xy5rxriff1wMr+6IpbFMQIxxpxpAXMMHvwP+4IMjTO99It05ucQMhrDaWt4tG4L54hsCIriyAhemk/+Tn4rBWlR3S2Kn3gv9NjSqdJ7vDMZaHutlHCJV2GXu+7X41YmE/TjQckzqSlyzyOG+UgRivgT1PnQZExFzxh4JqX52qI/Cyp5T3udJtJU7SntmdCDPiVfCPM8isqs3/ZmviPtboX2QkJEfNv1iqCqiV9UXb9IcFIFVxFO+hhRzo7QSNtV2AikmSUMK7V4+9hDV3xgrFExgeKHtEHW0GPpIqsX0QRH//jG5SiOTueAJCKCXTUg+kKxfRnkJjIYxFP4xTeUwEUsJJSeIv+KyfRN8OshIzKftKFHws0GwrpwGCxWT5aYWBK+fBdwoc46mTYSvaOsOMjGVLgiyfVQNJZXMppnOZlFRpuzt+5HlSNtl8WThJ6BaitDUNXfyJ4nS+AguIYrxJAr3FjsCQvJXP7j3Wr+8PQw8f1k5tDskpvoFyEFFNFoQu1sXd+WjZdy4ZFwkgdi7+y
X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0157;
	6:ZRHcU7LA2y6rbJ1ZeIhDIpp9iK5KVB0irPrGBg7edJSSmi6p5OKjkyypKECdQpWEeDaad9KPT5dowGt/oA54HhOWOW+X68b9x4/Jp0I7bsBkGQlEBmNj76c2mzTA+DtmawIRpzgXEc1c4pOeJIsQvgIKfsBou/6W5SDOnlFOld5hVZuDeLn95KLaTGXgsyBaW6bSB+SoTTu+Qd2lOf/4wBzZN5FzI9xcKJiV+joCNKvNPFxSepi4NtIRp+swtooa3KEPycGgskK3dPm6jxDzCwhIVV5Yf1DOJIPaTUGqwy+v3YapMCwFykrEuBD9NQu2pTTdZbEqhQKk5J4BrhFzvVSGa8cNPaMSkYVQJ0MzFv0=;
	5:FWxmbekUL9jWl4qlCi8fD8Y42ucjkJM46kc+h+CtSzZErM/iuX2WMHheHbllNlOSEoH08F8eqOKJUV9ZXPLABh5xUpfFvD0moTbX5sDiC2lZqHHss2KS2MqN/FyYDeFWOMuqjRGAOiP0y6A7kXcum+g+iQo4S1jPP0Mc/aBGUQo=;
	24:asnd/2GwsUJlKnER2UjvAhMx0SqZjG8R264GrVats5MmdJ0iK9tj7pqbvaLARuATq4uFF+F4b3LAC/JfAxNvN46oh69/c3/p7COxvaK3xKs=;
	7:AC6Xq4V2V0nVblplQZwTmafyPK6EB6/xwEb0mQf9e481OZV1XdfDR0UoCfN9YTbZlnsywfrjZSdLhS6/lawwyh6i4Cm6h+hPLW1yLytfUe09VWJuEppkO6UZkiGn73cm6NDkzNcycxvUTfBzvXmGPYh+lakWhYjraL+kdNwguszaBE4dlUQ+Pafbi+rxPG2279hwIfznoJ58ObgoVvuZzOB2LHrAhTlEyWUsuVTDfu/amxsGOjzP64CT5+tGiTlX
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; SN1PR12MB0157;
	20:qEilRQH3Ojy8thAOWxAGinpiW+UmT4qYdZ7wxtAxezrlYK7iEVy38ZBwMyQe5bYlgBFtomGCMsAZmEOoxSVWVNrVoTN1uMPoODn6y6YU4w4d35oAJpxsY4FxgM5a3FKxRaFfoYZIbkFwVPDGlx/6Dx0e3MmFTUtZb7mai8bvx64a+XtuAw72EUNKGgMoH7SW7h5UsuVjgs39xgtYHpgKIQB/vCHQb1wIf6ei/m0h9yW2sBSimk9MzlJTBOJW+fNj
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Feb 2018 15:40:33.6969
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 fa9179b8-cc50-4986-6064-08d5748a749a
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR12MB0157
X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy]
X-Received-From: 104.47.37.79
Subject: [Qemu-devel] [PATCH v9 08/29] target/i386: add Secure Encrypted
	Virtulization (SEV) object
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Peter Maydell <peter.maydell@linaro.org>,
	Brijesh Singh <brijesh.singh@amd.com>, kvm@vger.kernel.org,
	"Michael S. Tsirkin" <mst@redhat.com>,
	Stefan Hajnoczi <stefanha@gmail.com>, Alexander Graf <agraf@suse.de>,
	"Edgar E. Iglesias" <edgar.iglesias@xilinx.com>,
	Markus Armbruster <armbru@redhat.com>, Bruce Rogers <brogers@suse.com>,
	Christian Borntraeger <borntraeger@de.ibm.com>,
	Marcel Apfelbaum <marcel@redhat.com>, Borislav Petkov <bp@suse.de>,
	Thomas Lendacky <Thomas.Lendacky@amd.com>,
	Eduardo Habkost <ehabkost@redhat.com>,
	Richard Henderson <richard.henderson@linaro.org>,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
	Alistair Francis <alistair.francis@xilinx.com>,
	Cornelia Huck <cornelia.huck@de.ibm.com>,
	Richard Henderson <rth@twiddle.net>,
	Peter Crosthwaite <crosthwaite.peter@gmail.com>,
	Paolo Bonzini <pbonzini@redhat.com>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Add a new memory encryption object 'sev-guest'. The object will be used
to create enrypted VMs on AMD EPYC CPU. The object provides the properties
to pass guest owner's public Diffie-hellman key, guest policy and session
information required to create the memory encryption context within the
SEV firmware.

e.g to launch SEV guest
 # $QEMU \
    -object sev-guest,id=sev0 \
    -machine ....,memory-encryption=sev0

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 docs/amd-memory-encryption.txt |  17 +++
 include/sysemu/sev.h           |  54 ++++++++++
 qemu-options.hx                |  36 +++++++
 target/i386/Makefile.objs      |   2 +-
 target/i386/sev.c              | 228 +++++++++++++++++++++++++++++++++++++++++
 5 files changed, 336 insertions(+), 1 deletion(-)
 create mode 100644 include/sysemu/sev.h
 create mode 100644 target/i386/sev.c

diff --git a/docs/amd-memory-encryption.txt b/docs/amd-memory-encryption.txt
index 72a92b6c6353..1527f603ea2a 100644
--- a/docs/amd-memory-encryption.txt
+++ b/docs/amd-memory-encryption.txt
@@ -35,10 +35,21 @@ in bad measurement). The guest policy is a 4-byte data structure containing
 several flags that restricts what can be done on running SEV guest.
 See KM Spec section 3 and 6.2 for more details.
 
+The guest policy can be provided via the 'policy' property (see below)
+
+# ${QEMU} \
+   sev-guest,id=sev0,policy=0x1...\
+
 Guest owners provided DH certificate and session parameters will be used to
 establish a cryptographic session with the guest owner to negotiate keys used
 for the attestation.
 
+The DH certificate and session blob can be provided via 'dh-cert-file' and
+'session-file' property (see below
+
+# ${QEMU} \
+     sev-guest,id=sev0,dh-cert-file=<file1>,session-file=<file2>
+
 LAUNCH_UPDATE_DATA encrypts the memory region using the cryptographic context
 created via LAUNCH_START command. If required, this command can be called
 multiple times to encrypt different memory regions. The command also calculates
@@ -59,6 +70,12 @@ context.
 See SEV KM API Spec [1] 'Launching a guest' usage flow (Appendix A) for the
 complete flow chart.
 
+To launch a SEV guest
+
+# ${QEMU} \
+    -machine ...,memory-encryption=sev0 \
+    -object sev-guest,id=sev0
+
 Debugging
 -----------
 Since memory contents of SEV guest is encrypted hence hypervisor access to the
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
new file mode 100644
index 000000000000..a1936a7a79aa
--- /dev/null
+++ b/include/sysemu/sev.h
@@ -0,0 +1,54 @@
+/*
+ * QEMU Secure Encrypted Virutualization (SEV) support
+ *
+ * Copyright: Advanced Micro Devices, 2016-2018
+ *
+ * Authors:
+ *  Brijesh Singh <brijesh.singh@amd.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef QEMU_SEV_H
+#define QEMU_SEV_H
+
+#include "qom/object.h"
+#include "qapi/error.h"
+#include "sysemu/kvm.h"
+#include "qemu/error-report.h"
+
+#define TYPE_QSEV_GUEST_INFO "sev-guest"
+#define QSEV_GUEST_INFO(obj)                  \
+    OBJECT_CHECK(QSevGuestInfo, (obj), TYPE_QSEV_GUEST_INFO)
+
+typedef struct QSevGuestInfo QSevGuestInfo;
+typedef struct QSevGuestInfoClass QSevGuestInfoClass;
+
+/**
+ * QSevGuestInfo:
+ *
+ * The QSevGuestInfo object is used for creating a SEV guest.
+ *
+ * # $QEMU \
+ *         -object sev-guest,id=sev0 \
+ *         -machine ...,memory-encryption=sev0
+ */
+struct QSevGuestInfo {
+    Object parent_obj;
+
+    char *sev_device;
+    uint32_t policy;
+    uint32_t handle;
+    char *dh_cert_file;
+    char *session_file;
+    uint32_t cbitpos;
+    uint32_t reduced_phys_bits;
+};
+
+struct QSevGuestInfoClass {
+    ObjectClass parent_class;
+};
+
+#endif
diff --git a/qemu-options.hx b/qemu-options.hx
index fcbe842c0653..d166574437be 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4304,6 +4304,42 @@ contents of @code{iv.b64} to the second secret
          data=$SECRET,iv=$(<iv.b64)
 @end example
 
+@item -object sev-guest,id=@var{id},sev-device=@var{string}[cbitpos=@var{cbitpos},policy=@var{policy},handle=@var{handle},dh-cert-file=@var{file},session-file=@var{file}]
+
+Create a Secure Encrypted Virtualization (SEV) guest object, which can be used
+to provide the guest memory encryption support on AMD processors.
+
+The @option{sev-device} provides the device file to use for communicating with
+the SEV firmware running inside AMD Secure Processor. The default device is
+'/dev/sev'. If hardware supports memory encryption then /dev/sev devices are
+created by CCP driver.
+
+The @option{cbitpos} provide the C-bit location in guest page table entry to use.
+
+The @option{policy} provides the guest policy to be enforced by the SEV firmware
+and restrict what configuration and operational commands can be performed on this
+guest by the hypervisor. The policy should be provided by the guest owner and is
+bound to the guest and cannot be changed throughout the lifetime of the guest.
+The default is 0.
+
+If guest @option{policy} allows sharing the key with another SEV guest then
+@option{handle} can be use to provide handle of the guest from which to share
+the key.
+
+The @option{dh-cert-file} and @option{session-file} provides the guest owner's
+Public Diffie-Hillman key defined in SEV spec. The PDH and session parameters
+are used for establishing a cryptographic session with the guest owner to
+negotiate keys used for attestation. The file must be encoded in base64.
+
+e.g to launch a SEV guest
+@example
+ # $QEMU \
+     ......
+     -object sev-guest,id=sev0 \
+     -machine ...,memory-encryption=sev0
+     .....
+
+@end example
 @end table
 
 ETEXI
diff --git a/target/i386/Makefile.objs b/target/i386/Makefile.objs
index f5c6ef20a7bb..76aeaeae2750 100644
--- a/target/i386/Makefile.objs
+++ b/target/i386/Makefile.objs
@@ -4,7 +4,7 @@ obj-$(CONFIG_TCG) += bpt_helper.o cc_helper.o excp_helper.o fpu_helper.o
 obj-$(CONFIG_TCG) += int_helper.o mem_helper.o misc_helper.o mpx_helper.o
 obj-$(CONFIG_TCG) += seg_helper.o smm_helper.o svm_helper.o
 obj-$(CONFIG_SOFTMMU) += machine.o arch_memory_mapping.o arch_dump.o monitor.o
-obj-$(CONFIG_KVM) += kvm.o hyperv.o
+obj-$(CONFIG_KVM) += kvm.o hyperv.o sev.o
 obj-$(call lnot,$(CONFIG_KVM)) += kvm-stub.o
 # HAX support
 ifdef CONFIG_WIN32
diff --git a/target/i386/sev.c b/target/i386/sev.c
new file mode 100644
index 000000000000..f07c6465777b
--- /dev/null
+++ b/target/i386/sev.c
@@ -0,0 +1,228 @@
+/*
+ * QEMU SEV support
+ *
+ * Copyright Advanced Micro Devices 2016-2018
+ *
+ * Author:
+ *      Brijesh Singh <brijesh.singh@amd.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qom/object_interfaces.h"
+#include "qemu/base64.h"
+#include "sysemu/kvm.h"
+#include "sysemu/sev.h"
+#include "sysemu/sysemu.h"
+
+#define DEFAULT_GUEST_POLICY    0x1 /* disable debug */
+#define DEFAULT_SEV_DEVICE      "/dev/sev"
+
+static void
+qsev_guest_finalize(Object *obj)
+{
+}
+
+static char *
+qsev_guest_get_session_file(Object *obj, Error **errp)
+{
+    QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
+
+    return s->session_file ? g_strdup(s->session_file) : NULL;
+}
+
+static void
+qsev_guest_set_session_file(Object *obj, const char *value, Error **errp)
+{
+    QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
+
+    s->session_file = g_strdup(value);
+}
+
+static char *
+qsev_guest_get_dh_cert_file(Object *obj, Error **errp)
+{
+    QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
+
+    return g_strdup(s->dh_cert_file);
+}
+
+static void
+qsev_guest_set_dh_cert_file(Object *obj, const char *value, Error **errp)
+{
+    QSevGuestInfo *s = QSEV_GUEST_INFO(obj);
+
+    s->dh_cert_file = g_strdup(value);
+}
+
+static char *
+qsev_guest_get_sev_device(Object *obj, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    return g_strdup(sev->sev_device);
+}
+
+static void
+qsev_guest_set_sev_device(Object *obj, const char *value, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    sev->sev_device = g_strdup(value);
+}
+
+static void
+qsev_guest_class_init(ObjectClass *oc, void *data)
+{
+    object_class_property_add_str(oc, "sev-device",
+                                  qsev_guest_get_sev_device,
+                                  qsev_guest_set_sev_device,
+                                  NULL);
+    object_class_property_set_description(oc, "sev-device",
+            "SEV device to use", NULL);
+    object_class_property_add_str(oc, "dh-cert-file",
+                                  qsev_guest_get_dh_cert_file,
+                                  qsev_guest_set_dh_cert_file,
+                                  NULL);
+    object_class_property_set_description(oc, "dh-cert-file",
+            "guest owners DH certificate (encoded with base64)", NULL);
+    object_class_property_add_str(oc, "session-file",
+                                  qsev_guest_get_session_file,
+                                  qsev_guest_set_session_file,
+                                  NULL);
+    object_class_property_set_description(oc, "session-file",
+            "guest owners session parameters (encoded with base64)", NULL);
+}
+
+static void
+qsev_guest_set_handle(Object *obj, Visitor *v, const char *name,
+                      void *opaque, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+    uint32_t value;
+
+    visit_type_uint32(v, name, &value, errp);
+    sev->handle = value;
+}
+
+static void
+qsev_guest_set_policy(Object *obj, Visitor *v, const char *name,
+                      void *opaque, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+    uint32_t value;
+
+    visit_type_uint32(v, name, &value, errp);
+    sev->policy = value;
+}
+
+static void
+qsev_guest_set_cbitpos(Object *obj, Visitor *v, const char *name,
+                       void *opaque, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+    uint32_t value;
+
+    visit_type_uint32(v, name, &value, errp);
+    sev->cbitpos = value;
+}
+
+static void
+qsev_guest_set_reduced_phys_bits(Object *obj, Visitor *v, const char *name,
+                                   void *opaque, Error **errp)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+    uint32_t value;
+
+    visit_type_uint32(v, name, &value, errp);
+    sev->reduced_phys_bits = value;
+}
+
+static void
+qsev_guest_get_policy(Object *obj, Visitor *v, const char *name,
+                      void *opaque, Error **errp)
+{
+    uint32_t value;
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    value = sev->policy;
+    visit_type_uint32(v, name, &value, errp);
+}
+
+static void
+qsev_guest_get_handle(Object *obj, Visitor *v, const char *name,
+                      void *opaque, Error **errp)
+{
+    uint32_t value;
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    value = sev->handle;
+    visit_type_uint32(v, name, &value, errp);
+}
+
+static void
+qsev_guest_get_cbitpos(Object *obj, Visitor *v, const char *name,
+                       void *opaque, Error **errp)
+{
+    uint32_t value;
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    value = sev->cbitpos;
+    visit_type_uint32(v, name, &value, errp);
+}
+
+static void
+qsev_guest_get_reduced_phys_bits(Object *obj, Visitor *v, const char *name,
+                                   void *opaque, Error **errp)
+{
+    uint32_t value;
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    value = sev->reduced_phys_bits;
+    visit_type_uint32(v, name, &value, errp);
+}
+
+static void
+qsev_guest_init(Object *obj)
+{
+    QSevGuestInfo *sev = QSEV_GUEST_INFO(obj);
+
+    sev->sev_device = g_strdup(DEFAULT_SEV_DEVICE);
+    sev->policy = DEFAULT_GUEST_POLICY;
+    object_property_add(obj, "policy", "uint32", qsev_guest_get_policy,
+                        qsev_guest_set_policy, NULL, NULL, NULL);
+    object_property_add(obj, "handle", "uint32", qsev_guest_get_handle,
+                        qsev_guest_set_handle, NULL, NULL, NULL);
+    object_property_add(obj, "cbitpos", "uint32", qsev_guest_get_cbitpos,
+                        qsev_guest_set_cbitpos, NULL, NULL, NULL);
+    object_property_add(obj, "reduced-phys-bits", "uint32",
+                        qsev_guest_get_reduced_phys_bits,
+                        qsev_guest_set_reduced_phys_bits, NULL, NULL, NULL);
+}
+
+/* sev guest info */
+static const TypeInfo qsev_guest_info = {
+    .parent = TYPE_OBJECT,
+    .name = TYPE_QSEV_GUEST_INFO,
+    .instance_size = sizeof(QSevGuestInfo),
+    .instance_finalize = qsev_guest_finalize,
+    .class_size = sizeof(QSevGuestInfoClass),
+    .class_init = qsev_guest_class_init,
+    .instance_init = qsev_guest_init,
+    .interfaces = (InterfaceInfo[]) {
+        { TYPE_USER_CREATABLE },
+        { }
+    }
+};
+
+static void
+sev_register_types(void)
+{
+    type_register_static(&qsev_guest_info);
+}
+
+type_init(sev_register_types);