[libvirt] [PATCH] x86: Multi-key Total Memory Encryption (Intel)

Larkins Carvalho posted 1 patch 11 weeks ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20190501214157.10448-1-larkins.l.carvalho@intel.com
docs/formatdomain.html.in                     |   62 +-
docs/formatdomaincaps.html.in                 |   18 +
docs/schemas/domaincaps.rng                   |   14 +
include/libvirt/libvirt-host.h                |   18 +
src/conf/domain_capabilities.c                |   29 +
src/conf/domain_capabilities.h                |   12 +
src/conf/domain_conf.c                        |  114 +-
src/conf/domain_conf.h                        |   13 +
src/conf/virconftypes.h                       |    3 +
src/driver-hypervisor.h                       |    7 +
src/libvirt-host.c                            |   48 +
src/libvirt_private.syms                      |    5 +
src/libvirt_public.syms                       |    5 +
src/qemu/qemu_capabilities.c                  |  130 +-
src/qemu/qemu_capabilities.h                  |    4 +
src/qemu/qemu_capspriv.h                      |    4 +
src/qemu/qemu_command.c                       |   40 +
src/qemu/qemu_driver.c                        |   63 +
src/qemu/qemu_monitor.c                       |    9 +
src/qemu/qemu_monitor.h                       |    5 +
src/qemu/qemu_monitor_json.c                  |   52 +
src/qemu/qemu_monitor_json.h                  |    3 +
src/remote/remote_daemon_dispatch.c           |   43 +
src/remote/remote_driver.c                    |   40 +-
src/remote/remote_protocol.x                  |   21 +-
src/remote_protocol-structs                   |   12 +
src/util/Makefile.inc.am                      |    2 +
src/util/virmktme.c                           |  112 ++
src/util/virmktme.h                           |   33 +
.../bhyve_basic.x86_64.xml                    |    1 +
.../bhyve_fbuf.x86_64.xml                     |    1 +
.../bhyve_uefi.x86_64.xml                     |    1 +
tests/domaincapsschemadata/empty.xml          |    1 +
tests/domaincapsschemadata/libxl-xenfv.xml    |    1 +
tests/domaincapsschemadata/libxl-xenpv.xml    |    1 +
.../qemu_1.7.0.x86_64.xml                     |    1 +
.../qemu_2.12.0-virt.aarch64.xml              |    1 +
.../qemu_2.12.0.ppc64.xml                     |    1 +
.../qemu_2.12.0.s390x.xml                     |    1 +
.../qemu_2.12.0.x86_64.xml                    |    1 +
.../qemu_2.6.0-virt.aarch64.xml               |    1 +
.../qemu_2.6.0.aarch64.xml                    |    1 +
.../domaincapsschemadata/qemu_2.6.0.ppc64.xml |    1 +
.../qemu_2.6.0.x86_64.xml                     |    1 +
.../domaincapsschemadata/qemu_2.7.0.s390x.xml |    1 +
.../qemu_2.8.0-tcg.x86_64.xml                 |    1 +
.../domaincapsschemadata/qemu_2.8.0.s390x.xml |    1 +
.../qemu_2.8.0.x86_64.xml                     |    1 +
.../qemu_2.9.0-q35.x86_64.xml                 |    1 +
.../qemu_2.9.0-tcg.x86_64.xml                 |    1 +
.../qemu_2.9.0.x86_64.xml                     |    1 +
.../domaincapsschemadata/qemu_3.0.0.s390x.xml |    1 +
.../qemu_3.1.0.x86_64.xml                     |    1 +
.../qemu_4.0.0.x86_64.xml                     |    1 +
.../qemu_5.0.0.x86_64.xml                     |  164 ++
tests/domaincapstest.c                        |    4 +
.../caps_5.0.0.x86_64.xml                     | 1389 +++++++++++++++++
57 files changed, 2490 insertions(+), 13 deletions(-)
create mode 100644 src/util/virmktme.c
create mode 100644 src/util/virmktme.h
create mode 100644 tests/domaincapsschemadata/qemu_5.0.0.x86_64.xml
create mode 100644 tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml

[libvirt] [PATCH] x86: Multi-key Total Memory Encryption (Intel)

Posted by Larkins Carvalho 11 weeks ago
From: llcarval <larkins.l.carvalho@intel.com>

Total Memory Encryption (TME) – provides the capability to encrypt the
entirety of the physical memory of a system. MKTME builds on TME and
adds support for multiple encryption keys.

High Level flow:

1. Management tool calls virNodeGetMKTMEInfo. This returns an XML document
that includes the following

<feature>
...
  <mktme supported='yes'>
    <keys_supported> </keys_supported>
  </mktme>
</feature>

2. Management tool requests to start a guest calling virCreateXML(). The xml would include

<launchsecurity type='mktme'>
  <id>m0</id>
  <key_type>user</key_type>
  <key>samplekey</key>
  <encryption_algorithm>aes-xts-128</encryption_algorithm>
</launchSecurity>

3. Libvirt makes system call with the provided information to generate a key handle using linux keyring services.
Qemu uses the key handle to launch the workload.

4. Libvirt generate the QEMU cli arg to enable the MKTME feature, a typical
args looks like this:

-machine memory-encryption=m0 \
-object mktme-guest,id=m0,handle=${serial}

Intel MKTME spec: https://software.intel.com/sites/default/files/managed/a5/16/Multi-Key-Total-Memory-Encryption-Spec.pdf

WIP: Qemu and KVM patch to support Intel MKTME are in the process of development and community approval.

The purpose of this initial review is to get on par with libvirt development and the proposed Intel MKTME feature in libvirt.
Considering we have not added tests, this is a preliminary patch and based on the community feedback, we expect more updates to follow.

TODO:
Add tests for launch security of type mktme.
Update domaincommon.rng to add attribute of type mktme.
---
 docs/formatdomain.html.in                     |   62 +-
 docs/formatdomaincaps.html.in                 |   18 +
 docs/schemas/domaincaps.rng                   |   14 +
 include/libvirt/libvirt-host.h                |   18 +
 src/conf/domain_capabilities.c                |   29 +
 src/conf/domain_capabilities.h                |   12 +
 src/conf/domain_conf.c                        |  114 +-
 src/conf/domain_conf.h                        |   13 +
 src/conf/virconftypes.h                       |    3 +
 src/driver-hypervisor.h                       |    7 +
 src/libvirt-host.c                            |   48 +
 src/libvirt_private.syms                      |    5 +
 src/libvirt_public.syms                       |    5 +
 src/qemu/qemu_capabilities.c                  |  130 +-
 src/qemu/qemu_capabilities.h                  |    4 +
 src/qemu/qemu_capspriv.h                      |    4 +
 src/qemu/qemu_command.c                       |   40 +
 src/qemu/qemu_driver.c                        |   63 +
 src/qemu/qemu_monitor.c                       |    9 +
 src/qemu/qemu_monitor.h                       |    5 +
 src/qemu/qemu_monitor_json.c                  |   52 +
 src/qemu/qemu_monitor_json.h                  |    3 +
 src/remote/remote_daemon_dispatch.c           |   43 +
 src/remote/remote_driver.c                    |   40 +-
 src/remote/remote_protocol.x                  |   21 +-
 src/remote_protocol-structs                   |   12 +
 src/util/Makefile.inc.am                      |    2 +
 src/util/virmktme.c                           |  112 ++
 src/util/virmktme.h                           |   33 +
 .../bhyve_basic.x86_64.xml                    |    1 +
 .../bhyve_fbuf.x86_64.xml                     |    1 +
 .../bhyve_uefi.x86_64.xml                     |    1 +
 tests/domaincapsschemadata/empty.xml          |    1 +
 tests/domaincapsschemadata/libxl-xenfv.xml    |    1 +
 tests/domaincapsschemadata/libxl-xenpv.xml    |    1 +
 .../qemu_1.7.0.x86_64.xml                     |    1 +
 .../qemu_2.12.0-virt.aarch64.xml              |    1 +
 .../qemu_2.12.0.ppc64.xml                     |    1 +
 .../qemu_2.12.0.s390x.xml                     |    1 +
 .../qemu_2.12.0.x86_64.xml                    |    1 +
 .../qemu_2.6.0-virt.aarch64.xml               |    1 +
 .../qemu_2.6.0.aarch64.xml                    |    1 +
 .../domaincapsschemadata/qemu_2.6.0.ppc64.xml |    1 +
 .../qemu_2.6.0.x86_64.xml                     |    1 +
 .../domaincapsschemadata/qemu_2.7.0.s390x.xml |    1 +
 .../qemu_2.8.0-tcg.x86_64.xml                 |    1 +
 .../domaincapsschemadata/qemu_2.8.0.s390x.xml |    1 +
 .../qemu_2.8.0.x86_64.xml                     |    1 +
 .../qemu_2.9.0-q35.x86_64.xml                 |    1 +
 .../qemu_2.9.0-tcg.x86_64.xml                 |    1 +
 .../qemu_2.9.0.x86_64.xml                     |    1 +
 .../domaincapsschemadata/qemu_3.0.0.s390x.xml |    1 +
 .../qemu_3.1.0.x86_64.xml                     |    1 +
 .../qemu_4.0.0.x86_64.xml                     |    1 +
 .../qemu_5.0.0.x86_64.xml                     |  164 ++
 tests/domaincapstest.c                        |    4 +
 .../caps_5.0.0.x86_64.xml                     | 1389 +++++++++++++++++
 57 files changed, 2490 insertions(+), 13 deletions(-)
 create mode 100644 src/util/virmktme.c
 create mode 100644 src/util/virmktme.h
 create mode 100644 tests/domaincapsschemadata/qemu_5.0.0.x86_64.xml
 create mode 100644 tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index e1da878fcc..e96186aba9 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -8924,13 +8924,16 @@ qemu-kvm -net nic,model=? /dev/null
 
     <p>Note: DEA/TDEA is synonymous with DES/TDES.</p>
 
-    <h3><a id="sev">Launch Security</a></h3>
+    <h3><a id="launchsecurity">Launch Security</a></h3>
 
     <p>
-       The contents of the <code>&lt;launchSecurity type='sev'&gt;</code> element
+       The contents of the <code>launchSecurity</code> element
        is used to provide the guest owners input used for creating an encrypted
-       VM using the AMD SEV feature (Secure Encrypted Virtualization).
-
+       VM using the AMD SEV feature (Secure Encrypted Virtualization)
+	   and Intel MKTME (Multi-Key Total Memory Encryption).
+    </p>
+	<h4><a id="sev">SEV</a></h4>
+	<p>
        SEV is an extension to the AMD-V architecture which supports running
        encrypted virtual machine (VMs) under the control of KVM. Encrypted
        VMs have their pages (code and data) secured such that only the guest
@@ -8942,7 +8945,7 @@ qemu-kvm -net nic,model=? /dev/null
        For more information see various input parameters and its format see the
        <a href="https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf">SEV API spec</a>
        <span class="since">Since 4.4.0</span>
-       </p>
+	</p>
     <pre>
 &lt;domain&gt;
   ...
@@ -9039,6 +9042,55 @@ qemu-kvm -net nic,model=? /dev/null
       </dd>
     </dl>
 
+	<h4><a id="mktme">MKTME</a></h4>
+	<p>
+      Total Memory Encryption (TME) – provides the capability to encrypt the
+	  entirety of the physical memory of a system. MKTME builds on TME and
+	  adds support for multiple encryption keys.
+
+	  By default MKTME uses the TME encryption key unless explicitly specified
+	  by software. In addition to supporting a CPU generated ephemeral
+      key (not accessible by software or by using external interfaces to an SOC),
+	  MKTME also supports software provided keys. Software provided keys are
+	  particularly useful when used with nonvolatile memory or when combined
+	  with attestation mechanisms and/or used with key provisioning services.
+
+	  For more information see
+       <a href="https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf">MKTME spec</a>
+       <span class="since">Since 5.3.0</span>
+	</p>
+	    <pre>
+&lt;domain&gt;
+  ...
+  &lt;launchSecurity type='mktme'&gt;
+    &lt;id&gt;mktme-0&lt;/id&gt;
+    &lt;key_type&gt;samplekey&lt;/key_type&gt;
+    &lt;type&gt;user&lt;/type&gt;
+    &lt;encryption_algorithm&gt;aes-xts-128&lt;/encryption_algorithm&gt;
+  &lt;/launchSecurity&gt;
+  ...
+&lt;/domain&gt;
+</pre>
+    <dl>
+      <dt><code>id</code></dt>
+      <dd>The required <code>id</code> element provides ability to map the key handle.
+	  If the id exists system returns the same mapped key handle which can be used to 
+	  encrpyt a different guest. 
+      </dd>
+      <dt><code>key_type</code></dt>
+      <dd>MKTME supports user and cpu generated keys. The required <code>key_type</code>
+	  element provides the type of key used for the encryption.
+      </dd>
+      <dt><code>key</code></dt>
+      <dd>The optional <code>key</code> element provides the key used for the encryption.
+	  Required only when the key type is of user.
+      </dd>
+      <dt><code>encryption_algorithm</code></dt>
+      <dd>The required <code>encyption_algorithm</code> element provides the type of 
+	  encryption algorithm. Currently, MKTME supports aes-xts-128 only.
+      </dd>
+    </dl>
+
     <h2><a id="examples">Example configs</a></h2>
 
     <p>
diff --git a/docs/formatdomaincaps.html.in b/docs/formatdomaincaps.html.in
index b31b1729f4..ece891fa67 100644
--- a/docs/formatdomaincaps.html.in
+++ b/docs/formatdomaincaps.html.in
@@ -530,5 +530,23 @@
       address space. The number of bits we lose is hypervisor dependent.</dd>
     </dl>
 
+	<h4><a id="elementsMKTME">MKTME capabilities</a></h4>
+
+    <p>Intel Multi-Key Total Memory Encryption (MKTME) capabilities are exposed under
+    the <code>mktme</code> element.
+    Total Memory Encryption (TME) – provides the capability to encrypt the
+	entirety of the physical memory of a system. MKTME builds on TME and
+	adds support for multiple encryption keys.</p>
+
+    <p>
+    For more details on MKTME feature see:
+      <a href="https://software.intel.com/sites/default/files/managed/a5/16/Multi-Key-Total-Memory-Encryption-Spec.pdf">MKTME spec</a>
+    </p>
+
+    <dl>
+      <dt><code>keys_supported</code></dt>
+      <dd>When mktme is enabled, keys_supported information is avaiable</dd>
+    </dl>
+
   </body>
 </html>
diff --git a/docs/schemas/domaincaps.rng b/docs/schemas/domaincaps.rng
index e629d6431f..a399e4348f 100644
--- a/docs/schemas/domaincaps.rng
+++ b/docs/schemas/domaincaps.rng
@@ -200,6 +200,9 @@
       <optional>
         <ref name='sev'/>
       </optional>
+      <optional>
+        <ref name='mktme'/>
+      </optional>
     </element>
   </define>
 
@@ -236,6 +239,17 @@
     </element>
   </define>
 
+  <define name='mktme'>
+    <element name='mktme'>
+      <ref name='supported'/>
+      <optional>
+        <element name='keys_supported'>
+          <data type='unsignedInt'/>
+        </element>
+      </optional>
+    </element>
+  </define>
+
   <define name='value'>
     <zeroOrMore>
       <element name='value'>
diff --git a/include/libvirt/libvirt-host.h b/include/libvirt/libvirt-host.h
index 7debb5f829..10d2e4d2f3 100644
--- a/include/libvirt/libvirt-host.h
+++ b/include/libvirt/libvirt-host.h
@@ -473,6 +473,24 @@ int virNodeGetSEVInfo (virConnectPtr conn,
                        int *nparams,
                        unsigned int flags);
 
+/**
+*
+* MKTME Parameters
+*/
+
+/**
+* VIR_NODE_MKTME_KEYS_SUPPORTED:
+*
+* Macro represents the number of keys supported, when MKTME is enabled in the guest.
+*/
+# define VIR_NODE_MKTME_KEYS_SUPPORTED "keys_supported"
+
+int virNodeGetMKTMEInfo(virConnectPtr conn,
+						virTypedParameterPtr *params,
+						int *nparams,
+						unsigned int flags);
+
+
 /**
  * virConnectFlags
  *
diff --git a/src/conf/domain_capabilities.c b/src/conf/domain_capabilities.c
index 2e7e1c206b..1115fc26fc 100644
--- a/src/conf/domain_capabilities.c
+++ b/src/conf/domain_capabilities.c
@@ -78,6 +78,15 @@ virSEVCapabilitiesFree(virSEVCapability *cap)
     VIR_FREE(cap);
 }
 
+void
+virMKTMECapabilitiesFree(virMKTMECapability *cap)
+{
+	if (!cap)
+		return;
+
+	VIR_FREE(cap);
+}
+
 
 static void
 virDomainCapsDispose(void *obj)
@@ -89,6 +98,7 @@ virDomainCapsDispose(void *obj)
     virObjectUnref(caps->cpu.custom);
     virCPUDefFree(caps->cpu.hostModel);
     virSEVCapabilitiesFree(caps->sev);
+    virMKTMECapabilitiesFree(caps->mktme);
 
     virDomainCapsStringValuesFree(&caps->os.loader.values);
 }
@@ -593,6 +603,24 @@ virDomainCapsFeatureSEVFormat(virBufferPtr buf,
     return;
 }
 
+static void
+virDomainCapsFeatureMKTMEFormat(virBufferPtr buf,
+	virMKTMECapabilityPtr const mktme)
+{
+	if (!mktme) {
+		virBufferAddLit(buf, "<mktme supported='no'/>\n");
+	}
+	else {
+		virBufferAddLit(buf, "<mktme supported='yes'>\n");
+		virBufferAdjustIndent(buf, 2);
+		virBufferAsprintf(buf, "<keys_supported>%d</keys_supported>\n", mktme->keys_supported);
+		virBufferAdjustIndent(buf, -2);
+		virBufferAddLit(buf, "</mktme>\n");
+	}
+
+	return;
+}
+
 
 char *
 virDomainCapsFormat(virDomainCapsPtr const caps)
@@ -636,6 +664,7 @@ virDomainCapsFormat(virDomainCapsPtr const caps)
     FORMAT_SINGLE("vmcoreinfo", caps->vmcoreinfo);
     FORMAT_SINGLE("genid", caps->genid);
     virDomainCapsFeatureSEVFormat(&buf, caps->sev);
+    virDomainCapsFeatureMKTMEFormat(&buf, caps->mktme);
 
     virBufferAdjustIndent(&buf, -2);
     virBufferAddLit(&buf, "</features>\n");
diff --git a/src/conf/domain_capabilities.h b/src/conf/domain_capabilities.h
index cd09d50cee..56a73546c0 100644
--- a/src/conf/domain_capabilities.h
+++ b/src/conf/domain_capabilities.h
@@ -150,6 +150,12 @@ struct _virSEVCapability {
     unsigned int reduced_phys_bits;
 };
 
+typedef struct _virMKTMECapability virMKTMECapability;
+typedef virMKTMECapability *virMKTMECapabilityPtr;
+struct _virMKTMECapability {
+	unsigned int keys_supported;
+};
+
 struct _virDomainCaps {
     virObjectLockable parent;
 
@@ -174,6 +180,7 @@ struct _virDomainCaps {
     virTristateBool vmcoreinfo;
     virTristateBool genid;
     virSEVCapabilityPtr sev;
+    virMKTMECapabilityPtr mktme;
     /* add new domain features here */
 };
 
@@ -222,4 +229,9 @@ virSEVCapabilitiesFree(virSEVCapability *capabilities);
 
 VIR_DEFINE_AUTOPTR_FUNC(virSEVCapability, virSEVCapabilitiesFree);
 
+void
+virMKTMECapabilitiesFree(virMKTMECapability *capabilities);
+
+VIR_DEFINE_AUTOPTR_FUNC(virMKTMECapability, virMKTMECapabilitiesFree);
+
 #endif /* LIBVIRT_DOMAIN_CAPABILITIES_H */
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index b4fb6cf981..e563840479 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1233,6 +1233,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
               VIR_DOMAIN_LAUNCH_SECURITY_LAST,
               "",
               "sev",
+              "mktme",
 );
 
 static virClassPtr virDomainObjClass;
@@ -3281,6 +3282,22 @@ virDomainSEVDefFree(virDomainSEVDefPtr def)
     VIR_FREE(def);
 }
 
+static void
+virDomainMKTMEDefFree(virDomainMKTMEDefPtr def)
+{
+	if (!def)
+		return;
+
+	VIR_FREE(def->id);
+	VIR_FREE(def->key_type);
+	VIR_FREE(def->key);
+	VIR_FREE(def->encryption_algorithm);
+
+
+	VIR_FREE(def);
+}
+
+
 
 void virDomainDefFree(virDomainDefPtr def)
 {
@@ -3466,6 +3483,7 @@ void virDomainDefFree(virDomainDefPtr def)
         (def->ns.free)(def->namespaceData);
 
     virDomainSEVDefFree(def->sev);
+	virDomainMKTMEDefFree(def->mktme);
 
     xmlFreeNode(def->metadata);
 
@@ -15939,6 +15957,21 @@ virDomainMemoryTargetDefParseXML(xmlNodePtr node,
     return ret;
 }
 
+static int
+virDomainGetLaunchSecurityType(xmlNodePtr node)
+{
+	VIR_AUTOFREE(char *) type = NULL;
+
+	if (!(type = virXMLPropString(node, "type"))) {
+		virReportError(VIR_ERR_XML_ERROR, "%s",
+			_("missing launch security type"));
+		return -1;
+	}
+
+	return virDomainLaunchSecurityTypeFromString(type);
+
+}
+
 
 static virDomainSEVDefPtr
 virDomainSEVDefParseXML(xmlNodePtr sevNode,
@@ -15965,6 +15998,7 @@ virDomainSEVDefParseXML(xmlNodePtr sevNode,
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
         break;
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+	case VIR_DOMAIN_LAUNCH_SECURITY_MKTME:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
     default:
         virReportError(VIR_ERR_XML_ERROR,
@@ -16005,6 +16039,28 @@ virDomainSEVDefParseXML(xmlNodePtr sevNode,
     goto cleanup;
 }
 
+static virDomainMKTMEDefPtr
+virDomainMKTMEDefParseXML(xmlNodePtr mktmeNode,
+	xmlXPathContextPtr ctxt)
+{
+	VIR_XPATH_NODE_AUTORESTORE(ctxt);
+	virDomainMKTMEDefPtr def;
+
+	if (VIR_ALLOC(def) < 0)
+		return NULL;
+
+	ctxt->node = mktmeNode;
+
+	def->sectype = VIR_DOMAIN_LAUNCH_SECURITY_MKTME;
+
+	def->id = virXPathString("string(./id)", ctxt);
+	def->key_type = virXPathString("string(./key_type)", ctxt);
+	def->key = virXPathString("string(./key)", ctxt);
+	def->encryption_algorithm = virXPathString("string(./encryption_algorithm)", ctxt);
+
+	return def;
+}
+
 static virDomainMemoryDefPtr
 virDomainMemoryDefParseXML(virDomainXMLOptionPtr xmlopt,
                            xmlNodePtr memdevNode,
@@ -21127,11 +21183,33 @@ virDomainDefParseXML(xmlDocPtr xml,
     ctxt->node = node;
     VIR_FREE(nodes);
 
-    /* Check for SEV feature */
+    /* Check for launch security (MKTME/SEV) feature */
     if ((node = virXPathNode("./launchSecurity", ctxt)) != NULL) {
-        def->sev = virDomainSEVDefParseXML(node, ctxt);
-        if (!def->sev)
-            goto error;
+		int sectype = virDomainGetLaunchSecurityType(node);
+
+		if (sectype < 0)
+			goto error;
+
+		switch ((virDomainLaunchSecurity) sectype) {
+		case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+			def->sev = virDomainSEVDefParseXML(node, ctxt);
+			if (!def->sev)
+				goto error;
+			break;
+		case VIR_DOMAIN_LAUNCH_SECURITY_MKTME:
+			def->mktme = virDomainMKTMEDefParseXML(node, ctxt);
+			if (!def->mktme)
+				goto error;
+			break;
+		case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+		case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+		default:
+			virReportError(VIR_ERR_XML_ERROR,
+				_("unsupported launch security type '%s'"),
+				virXMLPropString(node, "type"));
+			goto error;
+		}
+
     }
 
     /* analysis of memory devices */
@@ -27263,6 +27341,33 @@ virDomainSEVDefFormat(virBufferPtr buf, virDomainSEVDefPtr sev)
     virBufferAddLit(buf, "</launchSecurity>\n");
 }
 
+static void
+virDomainMKTMEDefFormat(virBufferPtr buf, virDomainMKTMEDefPtr mktme)
+{
+	if (!mktme)
+		return;
+
+	virBufferAsprintf(buf, "<launchSecurity type='%s'>\n",
+		virDomainLaunchSecurityTypeToString(mktme->sectype));
+	virBufferAdjustIndent(buf, 2);
+
+	if (mktme->id)
+		virBufferEscapeString(buf, "<id>%s</id>\n", mktme->id);
+
+	if (mktme->key_type)
+		virBufferEscapeString(buf, "<key_type>%s</key_type>\n", mktme->key_type);
+
+	if (mktme->key)
+		virBufferEscapeString(buf, "<key>%s</key>\n", mktme->key);
+
+	if (mktme->encryption_algorithm)
+		virBufferEscapeString(buf, "<encryption_algorithm>%s</encryption_algorithm>\n", mktme->encryption_algorithm);
+
+
+	virBufferAdjustIndent(buf, -2);
+	virBufferAddLit(buf, "</launchSecurity>\n");
+}
+
 
 static void
 virDomainPerfDefFormat(virBufferPtr buf, virDomainPerfDefPtr perf)
@@ -28636,6 +28741,7 @@ virDomainDefFormatInternal(virDomainDefPtr def,
         virDomainKeyWrapDefFormat(buf, def->keywrap);
 
     virDomainSEVDefFormat(buf, def->sev);
+	virDomainMKTMEDefFormat(buf, def->mktme);
 
     virBufferAdjustIndent(buf, -2);
     virBufferAddLit(buf, "</domain>\n");
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 01c22d8cc3..5d08759de9 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2279,6 +2279,7 @@ struct _virDomainKeyWrapDef {
 typedef enum {
     VIR_DOMAIN_LAUNCH_SECURITY_NONE,
     VIR_DOMAIN_LAUNCH_SECURITY_SEV,
+    VIR_DOMAIN_LAUNCH_SECURITY_MKTME,
 
     VIR_DOMAIN_LAUNCH_SECURITY_LAST,
 } virDomainLaunchSecurity;
@@ -2332,6 +2333,15 @@ struct _virDomainVirtioOptions {
     virTristateSwitch ats;
 };
 
+struct _virDomainMKTMEDef {
+	int   sectype; /* enum virDomainLaunchSecurity */
+	char  *id;
+	char  *key_type;
+	char  *key;
+	char  *encryption_algorithm;
+	int   key_handle;
+};
+
 /*
  * Guest VM main configuration
  *
@@ -2491,6 +2501,9 @@ struct _virDomainDef {
     /* SEV-specific domain */
     virDomainSEVDefPtr sev;
 
+	/* MKTME- domain info*/
+    virDomainMKTMEDefPtr mktme;
+
     /* Application-specific custom metadata */
     xmlNodePtr metadata;
 
diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h
index 6a8267c422..a71ee462a0 100644
--- a/src/conf/virconftypes.h
+++ b/src/conf/virconftypes.h
@@ -346,4 +346,7 @@ typedef virDomainXMLPrivateDataCallbacks *virDomainXMLPrivateDataCallbacksPtr;
 typedef struct _virDomainXenbusControllerOpts virDomainXenbusControllerOpts;
 typedef virDomainXenbusControllerOpts *virDomainXenbusControllerOptsPtr;
 
+typedef struct _virDomainMKTMEDef virDomainMKTMEDef;
+typedef virDomainMKTMEDef *virDomainMKTMEDefPtr;
+
 #endif /* LIBVIRT_VIRCONFTYPES_H */
diff --git a/src/driver-hypervisor.h b/src/driver-hypervisor.h
index 5315e33dde..1d26381cb4 100644
--- a/src/driver-hypervisor.h
+++ b/src/driver-hypervisor.h
@@ -1322,6 +1322,12 @@ typedef int
                         int *nparams,
                         unsigned int flags);
 
+typedef int
+(*virDrvNodeGetMKTMEInfo)(virConnectPtr conn,
+						  virTypedParameterPtr *params,
+						  int *nparams,
+						  unsigned int flags);
+
 typedef int
 (*virDrvDomainGetLaunchSecurityInfo)(virDomainPtr domain,
                                         virTypedParameterPtr *params,
@@ -1579,6 +1585,7 @@ struct _virHypervisorDriver {
     virDrvConnectCompareHypervisorCPU connectCompareHypervisorCPU;
     virDrvConnectBaselineHypervisorCPU connectBaselineHypervisorCPU;
     virDrvNodeGetSEVInfo nodeGetSEVInfo;
+	virDrvNodeGetMKTMEInfo nodeGetMKTMEInfo;
     virDrvDomainGetLaunchSecurityInfo domainGetLaunchSecurityInfo;
 };
 
diff --git a/src/libvirt-host.c b/src/libvirt-host.c
index e20d6ee250..6696fb9998 100644
--- a/src/libvirt-host.c
+++ b/src/libvirt-host.c
@@ -1688,3 +1688,51 @@ virNodeGetSEVInfo(virConnectPtr conn,
     virDispatchError(conn);
     return -1;
 }
+
+/*
+ * virNodeGetMKTMEInfo:
+ * @conn: pointer to the hypervisor connection
+ * @params: where to store  mktme information
+ * @nparams: pointer to number of MKTME parameters returned in @params
+ * @flags: extra flags; not used yet, so callers should always pass 0
+ *
+ * If hypervisor supports Intel's MKTME feature, then @params will contain various
+ * platform specific information like number of keys supported. Caller is
+ * responsible for freeing @params.
+ *
+ * Returns 0 in case of success, and -1 in case of failure.
+ */
+int
+virNodeGetMKTMEInfo(virConnectPtr conn,
+	virTypedParameterPtr *params,
+	int *nparams,
+	unsigned int flags)
+{
+	VIR_DEBUG("conn=%p, params=%p, nparams=%p, flags=0x%x",
+		conn, params, nparams, flags);
+
+	virResetLastError();
+
+	virCheckConnectReturn(conn, -1);
+	virCheckNonNullArgGoto(nparams, error);
+	virCheckNonNegativeArgGoto(*nparams, error);
+	virCheckReadOnlyGoto(conn->flags, error);
+
+	if (VIR_DRV_SUPPORTS_FEATURE(conn->driver, conn,
+		VIR_DRV_FEATURE_TYPED_PARAM_STRING))
+		flags |= VIR_TYPED_PARAM_STRING_OKAY;
+
+	if (conn->driver->nodeGetMKTMEInfo) {
+		int ret;
+		ret = conn->driver->nodeGetMKTMEInfo(conn, params, nparams, flags);
+		if (ret < 0)
+			goto error;
+		return ret;
+	}
+
+	virReportUnsupportedError();
+
+error:
+	virDispatchError(conn);
+	return -1;
+}
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index a03cf0b645..afa6925715 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -189,6 +189,7 @@ virDomainCapsEnumClear;
 virDomainCapsEnumSet;
 virDomainCapsFormat;
 virDomainCapsNew;
+virMKTMECapabilitiesFree;
 virSEVCapabilitiesFree;
 
 
@@ -2352,6 +2353,9 @@ virMediatedDeviceSetUsedBy;
 virMediatedDeviceTypeFree;
 virMediatedDeviceTypeReadAttrs;
 
+# util/virmktme.h
+virGetMktmeKeyHandle;
+virMktmeIsEnabled;
 
 # util/virmodule.h
 virModuleLoad;
@@ -3315,6 +3319,7 @@ virXPathULongHex;
 virXPathULongLong;
 
 
+
 # Let emacs know we want case-insensitive sorting
 # Local Variables:
 # sort-fold-case: t
diff --git a/src/libvirt_public.syms b/src/libvirt_public.syms
index dbce3336d5..d106f36db2 100644
--- a/src/libvirt_public.syms
+++ b/src/libvirt_public.syms
@@ -819,4 +819,9 @@ LIBVIRT_5.2.0 {
         virConnectGetStoragePoolCapabilities;
 } LIBVIRT_4.10.0;
 
+LIBVIRT_5.3.0 {
+    global:
+		virNodeGetMKTMEInfo;
+} LIBVIRT_5.2.0;
+
 # .... define new API here using predicted next version number ....
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index a0b2ca73fb..c127d61a1d 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -525,6 +525,7 @@ VIR_ENUM_IMPL(virQEMUCaps,
               "virtio-pci-non-transitional",
               "overcommit",
               "query-current-machine",
+	          "mktme-guest"
     );
 
 
@@ -595,6 +596,8 @@ struct _virQEMUCaps {
 
     virSEVCapability *sevCapabilities;
 
+    virMKTMECapability *mktmeCapabilities;
+
     virQEMUCapsHostCPUData kvmCPU;
     virQEMUCapsHostCPUData tcgCPU;
 };
@@ -1090,6 +1093,7 @@ struct virQEMUCapsStringFlags virQEMUCapsObjectTypes[] = {
     { "vhost-vsock-device", QEMU_CAPS_DEVICE_VHOST_VSOCK },
     { "mch", QEMU_CAPS_DEVICE_MCH },
     { "sev-guest", QEMU_CAPS_SEV_GUEST },
+    { "mktme-guest", QEMU_CAPS_MKTME_GUEST },
     { "vfio-ap", QEMU_CAPS_DEVICE_VFIO_AP },
     { "zpci", QEMU_CAPS_DEVICE_ZPCI },
     { "memory-backend-memfd", QEMU_CAPS_OBJECT_MEMORY_MEMFD },
@@ -1541,6 +1545,22 @@ virQEMUCapsSEVInfoCopy(virSEVCapabilityPtr *dst,
     return 0;
 }
 
+static int
+virQEMUCapsMKTMEInfoCopy(virMKTMECapabilityPtr *dst,
+			 virMKTMECapabilityPtr src)
+{
+	VIR_AUTOPTR(virMKTMECapability) tmp = NULL;
+
+	if (VIR_ALLOC(tmp) < 0 )
+		return -1;
+
+	tmp->keys_supported = src->keys_supported;
+
+	VIR_STEAL_PTR(*dst, tmp);
+	return 0;
+}
+
+
 
 virQEMUCapsPtr virQEMUCapsNewCopy(virQEMUCapsPtr qemuCaps)
 {
@@ -1612,6 +1632,12 @@ virQEMUCapsPtr virQEMUCapsNewCopy(virQEMUCapsPtr qemuCaps)
                                qemuCaps->sevCapabilities) < 0)
         goto error;
 
+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_MKTME_GUEST) &&
+	virQEMUCapsMKTMEInfoCopy(&ret->mktmeCapabilities,
+			qemuCaps->mktmeCapabilities) < 0)
+	goto error;
+
+
     return ret;
 
  error:
@@ -1643,6 +1669,7 @@ void virQEMUCapsDispose(void *obj)
     VIR_FREE(qemuCaps->gicCapabilities);
 
     virSEVCapabilitiesFree(qemuCaps->sevCapabilities);
+    virMKTMECapabilitiesFree(qemuCaps->mktmeCapabilities);
 
     virQEMUCapsHostCPUDataClear(&qemuCaps->kvmCPU);
     virQEMUCapsHostCPUDataClear(&qemuCaps->tcgCPU);
@@ -2099,6 +2126,12 @@ virQEMUCapsGetSEVCapabilities(virQEMUCapsPtr qemuCaps)
     return qemuCaps->sevCapabilities;
 }
 
+virMKTMECapabilityPtr
+virQEMUCapsGetMKTMECapabilities(virQEMUCapsPtr qemuCaps)
+{
+	return qemuCaps->mktmeCapabilities;
+}
+
 
 static int
 virQEMUCapsProbeQMPCommands(virQEMUCapsPtr qemuCaps,
@@ -2768,6 +2801,30 @@ virQEMUCapsProbeQMPSEVCapabilities(virQEMUCapsPtr qemuCaps,
     return 0;
 }
 
+/* Returns -1 on error, 0 if MKTME is not supported, 1 if MKTME is supported */
+static int
+virQEMUCapsProbeQMPMKTMECapabilities(virQEMUCapsPtr qemuCaps,
+	qemuMonitorPtr mon)
+{
+	int rc = -1;
+	virMKTMECapability *caps = NULL;
+
+	if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MKTME_GUEST))
+		return 0;
+	if ((rc = qemuMonitorGetMKTMECapabilities(mon, &caps)) < 0)
+		return -1;
+
+	/* MKTME isn't actually supported */
+	if (rc == 0) {
+		virQEMUCapsClear(qemuCaps, QEMU_CAPS_MKTME_GUEST);
+		return 0;
+	}
+
+	virMKTMECapabilitiesFree(qemuCaps->mktmeCapabilities);
+	qemuCaps->mktmeCapabilities = caps;
+	return 0;
+}
+
 
 bool
 virQEMUCapsCPUFilterFeatures(const char *name,
@@ -3397,6 +3454,35 @@ virQEMUCapsParseSEVInfo(virQEMUCapsPtr qemuCaps, xmlXPathContextPtr ctxt)
     return 0;
 }
 
+static int
+virQEMUCapsParseMKTMEInfo(virQEMUCapsPtr qemuCaps, xmlXPathContextPtr ctxt)
+{
+	VIR_AUTOPTR(virMKTMECapability) mktme = NULL;
+
+	if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MKTME_GUEST))
+		return 0;
+
+	if (virXPathBoolean("boolean(./mktme)", ctxt) == 0) {
+		virReportError(VIR_ERR_XML_ERROR, "%s",
+			_("missing MKTME platform data in QEMU "
+				"capabilities cache"));
+		return -1;
+	}
+
+	if (VIR_ALLOC(mktme) < 0)
+		return -1;
+
+	if (virXPathUInt("string(./mktme/keys_supported)", ctxt, &mktme->keys_supported) < 0) {
+		virReportError(VIR_ERR_XML_ERROR, "%s",
+			_("missing or malformed MKTME keys_supported information "
+				"in QEMU capabilities cache"));
+		return -1;
+	}
+
+	VIR_STEAL_PTR(qemuCaps->mktmeCapabilities, mktme);
+	return 0;
+}
+
 
 /*
  * Parsing a doc that looks like
@@ -3650,6 +3736,10 @@ virQEMUCapsLoadCache(virArch hostArch,
     if (virQEMUCapsParseSEVInfo(qemuCaps, ctxt) < 0)
         goto cleanup;
 
+    if (virQEMUCapsParseMKTMEInfo(qemuCaps, ctxt) < 0)
+	goto cleanup;
+
+
     virQEMUCapsInitHostCPUModel(qemuCaps, hostArch, VIR_DOMAIN_VIRT_KVM);
     virQEMUCapsInitHostCPUModel(qemuCaps, hostArch, VIR_DOMAIN_VIRT_QEMU);
 
@@ -3786,6 +3876,17 @@ virQEMUCapsFormatSEVInfo(virQEMUCapsPtr qemuCaps, virBufferPtr buf)
     virBufferAddLit(buf, "</sev>\n");
 }
 
+static void
+virQEMUCapsFormatMKTMEInfo(virQEMUCapsPtr qemuCaps, virBufferPtr buf)
+{
+	virMKTMECapabilityPtr mktme = virQEMUCapsGetMKTMECapabilities(qemuCaps);
+
+	virBufferAddLit(buf, "<mktme>\n");
+	virBufferAdjustIndent(buf, 2);
+	virBufferAsprintf(buf, "<keys_supported>%u</keys_supported>\n", mktme->keys_supported);
+	virBufferAdjustIndent(buf, -2);
+	virBufferAddLit(buf, "</mktme>\n");
+}
 
 char *
 virQEMUCapsFormatCache(virQEMUCapsPtr qemuCaps)
@@ -3806,7 +3907,7 @@ virQEMUCapsFormatCache(virQEMUCapsPtr qemuCaps)
 
     for (i = 0; i < QEMU_CAPS_LAST; i++) {
         if (virQEMUCapsGet(qemuCaps, i)) {
-            virBufferAsprintf(&buf, "<flag name='%s'/>\n",
+			virBufferAsprintf(&buf, "<flag name='%s'/>\n",
                               virQEMUCapsTypeToString(i));
         }
     }
@@ -3871,6 +3972,9 @@ virQEMUCapsFormatCache(virQEMUCapsPtr qemuCaps)
     if (qemuCaps->sevCapabilities)
         virQEMUCapsFormatSEVInfo(qemuCaps, &buf);
 
+    if (qemuCaps->mktmeCapabilities)
+	virQEMUCapsFormatMKTMEInfo(qemuCaps, &buf);
+
     if (qemuCaps->kvmSupportsNesting)
         virBufferAddLit(&buf, "<kvmSupportsNesting/>\n");
 
@@ -4373,6 +4477,8 @@ virQEMUCapsInitQMPMonitor(virQEMUCapsPtr qemuCaps,
         return -1;
     if (virQEMUCapsProbeQMPSEVCapabilities(qemuCaps, mon) < 0)
         return -1;
+    if (virQEMUCapsProbeQMPMKTMECapabilities(qemuCaps, mon) < 0)
+	return -1;
 
     virQEMUCapsInitProcessCaps(qemuCaps);
 
@@ -5325,6 +5431,25 @@ virQEMUCapsFillDomainFeatureSEVCaps(virQEMUCapsPtr qemuCaps,
     return 0;
 }
 
+static int
+virQEMUCapsFillDomainFeatureMKTMECaps(virQEMUCapsPtr qemuCaps,
+				      virDomainCapsPtr domCaps)
+{
+	virMKTMECapability *cap = qemuCaps->mktmeCapabilities;
+	VIR_AUTOPTR(virMKTMECapability) mktme = NULL;
+
+	if (!cap)
+		return 0;
+
+	if (VIR_ALLOC(mktme) < 0)
+		return -1;
+
+	mktme->keys_supported = cap->keys_supported;
+	VIR_STEAL_PTR(domCaps->mktme, mktme);
+
+	return 0;
+}
+
 
 int
 virQEMUCapsFillDomainCaps(virCapsPtr caps,
@@ -5370,7 +5495,8 @@ virQEMUCapsFillDomainCaps(virCapsPtr caps,
         virQEMUCapsFillDomainDeviceVideoCaps(qemuCaps, video) < 0 ||
         virQEMUCapsFillDomainDeviceHostdevCaps(qemuCaps, hostdev) < 0 ||
         virQEMUCapsFillDomainFeatureGICCaps(qemuCaps, domCaps) < 0 ||
-        virQEMUCapsFillDomainFeatureSEVCaps(qemuCaps, domCaps) < 0)
+        virQEMUCapsFillDomainFeatureSEVCaps(qemuCaps, domCaps) < 0 || 
+	virQEMUCapsFillDomainFeatureMKTMECaps(qemuCaps, domCaps) < 0)
         return -1;
 
     return 0;
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index 67c8e80462..5614479617 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -507,6 +507,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check */
     QEMU_CAPS_VIRTIO_PCI_TRANSITIONAL, /* virtio *-pci-{non-}transitional devices */
     QEMU_CAPS_OVERCOMMIT, /* -overcommit */
     QEMU_CAPS_QUERY_CURRENT_MACHINE, /* query-current-machine command */
+    QEMU_CAPS_MKTME_GUEST, /* -object mktme-guest,... */
 
     QEMU_CAPS_LAST /* this must always be the last item */
 } virQEMUCapsFlags;
@@ -644,6 +645,9 @@ bool virQEMUCapsCPUFilterFeatures(const char *name,
 virSEVCapabilityPtr
 virQEMUCapsGetSEVCapabilities(virQEMUCapsPtr qemuCaps);
 
+virMKTMECapabilityPtr
+virQEMUCapsGetMKTMECapabilities(virQEMUCapsPtr qemuCaps);
+
 virArch virQEMUCapsArchFromString(const char *arch);
 const char *virQEMUCapsArchToString(virArch arch);
 
diff --git a/src/qemu/qemu_capspriv.h b/src/qemu/qemu_capspriv.h
index 2d059bee8c..2c44c7a38c 100644
--- a/src/qemu/qemu_capspriv.h
+++ b/src/qemu/qemu_capspriv.h
@@ -95,6 +95,10 @@ void
 virQEMUCapsSetSEVCapabilities(virQEMUCapsPtr qemuCaps,
                               virSEVCapability *capabilities);
 
+void
+virQEMUCapsSetMKTMECapabilities(virQEMUCapsPtr qemuCaps,
+	virMKTMECapability *capabilities);
+
 int
 virQEMUCapsProbeQMPCPUDefinitions(virQEMUCapsPtr qemuCaps,
                                   qemuMonitorPtr mon,
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 50b4205267..ad193a5b4c 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -59,6 +59,7 @@
 #include "virgic.h"
 #include "virmdev.h"
 #include "virdomainsnapshotobjlist.h"
+#include "virmktme.h"
 #if defined(__linux__)
 # include <linux/capability.h>
 #endif
@@ -7765,6 +7766,10 @@ qemuBuildMachineCommandLine(virCommandPtr cmd,
     if (def->sev)
         virBufferAddLit(&buf, ",memory-encryption=sev0");
 
+    if (def->mktme)
+	virBufferAddLit(&buf, ",memory-encryption=m0");
+
+
     virCommandAddArgBuffer(cmd, &buf);
 
     ret = 0;
@@ -10266,6 +10271,37 @@ qemuBuildSEVCommandLine(virDomainObjPtr vm, virCommandPtr cmd,
     return ret;
 }
 
+static int
+qemuBuildMKTMECommandLine(virCommandPtr cmd,
+			  virDomainMKTMEDefPtr mktme)
+{
+	virBuffer buf = VIR_BUFFER_INITIALIZER;
+	int ret = -1;
+
+	if (!mktme)
+	    return 0;
+
+	if ((mktme->key_handle = virGetMktmeKeyHandle(mktme->id, mktme->key_type,
+		mktme->key, mktme->encryption_algorithm)) < 0)
+	{
+	    virReportError(VIR_ERR_INTERNAL_ERROR,
+		_("Failed to get MKTME key handle id %s"), mktme->id);
+	    return -1;
+
+	}
+	VIR_DEBUG("id=%s key_type=%s key_handle=0x%x",
+		mktme->id, mktme->key_type, mktme->key_handle);
+
+	virBufferAsprintf(&buf, "mktme-guest,id=m0,handle=%d", mktme->key_handle);
+
+	virCommandAddArg(cmd, "-object");
+	virCommandAddArgBuffer(cmd, &buf);
+	ret = 0;
+	virBufferFreeAndReset(&buf);
+	return ret;
+}
+
+
 static int
 qemuBuildVMCoreInfoCommandLine(virCommandPtr cmd,
                                const virDomainDef *def,
@@ -10886,6 +10922,10 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
     if (qemuBuildSEVCommandLine(vm, cmd, def->sev) < 0)
         goto error;
 
+    if (qemuBuildMKTMECommandLine(cmd, def->mktme) < 0)
+	goto error;
+
+
     if (snapshot)
         virCommandAddArgList(cmd, "-loadvm", snapshot->def->name, NULL);
 
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index b2ac737d1f..ef62c15a26 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -22266,6 +22266,68 @@ qemuNodeGetSEVInfo(virConnectPtr conn,
 }
 
 
+static int
+qemuGetMKTMEInfoToParams(virQEMUCapsPtr qemuCaps,
+	virTypedParameterPtr *params,
+	int *nparams,
+	unsigned int flags)
+{
+	int maxpar = 0;
+	int n = 0;
+	virMKTMECapabilityPtr mktme = virQEMUCapsGetMKTMECapabilities(qemuCaps);
+	virTypedParameterPtr mktmeParams = NULL;
+
+	virCheckFlags(VIR_TYPED_PARAM_STRING_OKAY, -1);
+
+	if (virTypedParamsAddUInt(&mktmeParams, &n, &maxpar,
+		VIR_NODE_MKTME_KEYS_SUPPORTED, mktme->keys_supported) < 0)
+	    goto cleanup;
+
+	VIR_STEAL_PTR(*params, mktmeParams);
+	*nparams = n;
+	return 0;
+
+cleanup:
+	virTypedParamsFree(mktmeParams, n);
+	return -1;
+}
+
+
+static int
+qemuNodeGetMKTMEInfo(virConnectPtr conn,
+	virTypedParameterPtr *params,
+	int *nparams,
+	unsigned int flags)
+{
+	virQEMUDriverPtr driver = conn->privateData;
+	virQEMUCapsPtr qemucaps = NULL;
+	int ret = -1;
+
+	if (virNodeGetMktmeInfoEnsureACL(conn) < 0)
+	    return ret;
+
+	qemucaps = virQEMUCapsCacheLookupByArch(driver->qemuCapsCache,
+						virArchFromHost());
+	if (!qemucaps)
+	    goto cleanup;
+
+	if (!virQEMUCapsGet(qemucaps, QEMU_CAPS_MKTME_GUEST)) {
+	    virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+		_("QEMU does not support MKTME guest"));
+	    goto cleanup;
+	}
+
+	if (qemuGetMKTMEInfoToParams(qemucaps, params, nparams, flags) < 0)
+	    goto cleanup;
+
+	ret = 0;
+
+cleanup:
+	virObjectUnref(qemucaps);
+	return ret;
+}
+
+
 static int
 qemuDomainGetSEVMeasurement(virQEMUDriverPtr driver,
                             virDomainObjPtr vm,
@@ -22560,6 +22622,7 @@ static virHypervisorDriver qemuHypervisorDriver = {
     .connectBaselineHypervisorCPU = qemuConnectBaselineHypervisorCPU, /* 4.4.0 */
     .nodeGetSEVInfo = qemuNodeGetSEVInfo, /* 4.5.0 */
     .domainGetLaunchSecurityInfo = qemuDomainGetLaunchSecurityInfo, /* 4.5.0 */
+    .nodeGetMKTMEInfo = qemuNodeGetMKTMEInfo /* 5.3.0 */
 };
 
 
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index e1fcbac13f..ea06e09f95 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -3921,6 +3921,15 @@ qemuMonitorGetSEVCapabilities(qemuMonitorPtr mon,
     return qemuMonitorJSONGetSEVCapabilities(mon, capabilities);
 }
 
+int
+qemuMonitorGetMKTMECapabilities(qemuMonitorPtr mon,
+				virMKTMECapability **capabilities)
+{
+	QEMU_CHECK_MONITOR(mon);
+
+	return qemuMonitorJSONGetMKTMECapabilities(mon, capabilities);
+}
+
 
 int
 qemuMonitorNBDServerStart(qemuMonitorPtr mon,
diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
index 9242d37407..2b39e54625 100644
--- a/src/qemu/qemu_monitor.h
+++ b/src/qemu/qemu_monitor.h
@@ -761,6 +761,11 @@ int qemuMonitorGetGICCapabilities(qemuMonitorPtr mon,
 int qemuMonitorGetSEVCapabilities(qemuMonitorPtr mon,
                                   virSEVCapability **capabilities);
 
+
+int qemuMonitorGetMKTMECapabilities(qemuMonitorPtr mon,
+				  virMKTMECapability **capabilities);
+
+
 typedef enum {
   QEMU_MONITOR_MIGRATE_BACKGROUND       = 1 << 0,
   QEMU_MONITOR_MIGRATE_NON_SHARED_DISK  = 1 << 1, /* migration with non-shared storage with full disk copy */
diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
index 908967f46c..708d483942 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -6654,6 +6654,58 @@ qemuMonitorJSONGetSEVCapabilities(qemuMonitorPtr mon,
     return ret;
 }
 
+int
+qemuMonitorJSONGetMKTMECapabilities(qemuMonitorPtr mon,
+	virMKTMECapability **capabilities)
+{
+	int ret = -1;
+	virJSONValuePtr cmd;
+	virJSONValuePtr reply = NULL;
+	virJSONValuePtr caps;
+	unsigned int keys_supported;
+	VIR_AUTOPTR(virMKTMECapability) capability = NULL;
+
+	*capabilities = NULL;
+
+	/* Query may change*/
+	if (!(cmd = qemuMonitorJSONMakeCommand("query-mktme-capabilities",
+		NULL)))
+		return -1;
+
+	if (qemuMonitorJSONCommand(mon, cmd, &reply) < 0)
+		goto cleanup;
+
+	if (qemuMonitorJSONHasError(reply, "GenericError")) {
+		ret = 0;
+		goto cleanup;
+	}
+
+	if (qemuMonitorJSONCheckError(cmd, reply) < 0)
+		goto cleanup;
+
+	caps = virJSONValueObjectGetObject(reply, "return");
+
+	if (virJSONValueObjectGetNumberUint(caps, "keys_supported", &keys_supported) < 0) {
+		virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+			_("query-mktme-capabilities reply was missing"
+				" 'keys_supported' field"));
+		goto cleanup;
+	}
+
+	if (VIR_ALLOC(capability) < 0)
+		goto cleanup;
+
+	capability->keys_supported = keys_supported;
+	VIR_STEAL_PTR(*capabilities, capability);
+	ret = 1;
+cleanup:
+	virJSONValueFree(cmd);
+	virJSONValueFree(reply);
+
+	return ret;
+}
+
+
 static virJSONValuePtr
 qemuMonitorJSONBuildInetSocketAddress(const char *host,
                                       const char *port)
diff --git a/src/qemu/qemu_monitor_json.h b/src/qemu/qemu_monitor_json.h
index 746b7072ca..e9316564ba 100644
--- a/src/qemu/qemu_monitor_json.h
+++ b/src/qemu/qemu_monitor_json.h
@@ -158,6 +158,9 @@ int qemuMonitorJSONGetGICCapabilities(qemuMonitorPtr mon,
 int qemuMonitorJSONGetSEVCapabilities(qemuMonitorPtr mon,
                                       virSEVCapability **capabilities);
 
+int qemuMonitorJSONGetMKTMECapabilities(qemuMonitorPtr mon,
+	virMKTMECapability **capabilities);
+
 int qemuMonitorJSONMigrate(qemuMonitorPtr mon,
                            unsigned int flags,
                            const char *uri);
diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c
index df28259042..f42686bfa9 100644
--- a/src/remote/remote_daemon_dispatch.c
+++ b/src/remote/remote_daemon_dispatch.c
@@ -5229,6 +5229,49 @@ remoteDispatchNodeGetSevInfo(virNetServerPtr server ATTRIBUTE_UNUSED,
     return rv;
 }
 
+static int
+remoteDispatchNodeGetMktmeInfo(virNetServerPtr server ATTRIBUTE_UNUSED,
+	virNetServerClientPtr client ATTRIBUTE_UNUSED,
+	virNetMessagePtr msg ATTRIBUTE_UNUSED,
+	virNetMessageErrorPtr rerr,
+	remote_node_get_mktme_info_args *args,
+	remote_node_get_mktme_info_ret *ret)
+{
+	virTypedParameterPtr params = NULL;
+	int nparams = 0;
+	int rv = -1;
+	struct daemonClientPrivate *priv =
+		virNetServerClientGetPrivateData(client);
+
+	if (!priv->conn) {
+		virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("connection not open"));
+		goto cleanup;
+	}
+
+	if (virNodeGetMKTMEInfo(priv->conn, &params, &nparams, args->flags) < 0)
+		goto cleanup;
+
+	if (nparams > REMOTE_NODE_MKTME_INFO_MAX) {
+		virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+		goto cleanup;
+	}
+
+
+	if (virTypedParamsSerialize(params, nparams,
+		(virTypedParameterRemotePtr *)&ret->params.params_val,
+		&ret->params.params_len,
+		args->flags) < 0)
+		goto cleanup;
+
+	rv = 0;
+
+cleanup:
+	if (rv < 0)
+		virNetMessageSaveError(rerr);
+	virTypedParamsFree(params, nparams);
+	return rv;
+}
+
 
 static int
 remoteDispatchNodeGetMemoryParameters(virNetServerPtr server ATTRIBUTE_UNUSED,
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 5c4dd41227..507ce0f917 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -6824,6 +6824,43 @@ remoteNodeGetSEVInfo(virConnectPtr conn,
     return rv;
 }
 
+static int
+remoteNodeGetMKTMEInfo(virConnectPtr conn,
+	virTypedParameterPtr *params,
+	int *nparams,
+	unsigned int flags)
+{
+	int rv = -1;
+	remote_node_get_mktme_info_args args;
+	remote_node_get_mktme_info_ret ret;
+	struct private_data *priv = conn->privateData;
+
+	remoteDriverLock(priv);
+
+	args.flags = flags;
+
+	memset(&ret, 0, sizeof(ret));
+	if (call(conn, priv, 0, REMOTE_PROC_NODE_GET_MKTME_INFO,
+		(xdrproc_t)xdr_remote_node_get_mktme_info_args, (char *)&args,
+		(xdrproc_t)xdr_remote_node_get_mktme_info_ret, (char *)&ret) == -1)
+		goto done;
+
+	if (virTypedParamsDeserialize((virTypedParameterRemotePtr)ret.params.params_val,
+		ret.params.params_len,
+		REMOTE_NODE_MKTME_INFO_MAX,
+		params,
+		nparams) < 0)
+		goto cleanup;
+
+	rv = 0;
+
+cleanup:
+	xdr_free((xdrproc_t)xdr_remote_node_get_mktme_info_ret, (char *)&ret);
+done:
+	remoteDriverUnlock(priv);
+	return rv;
+}
+
 
 static int
 remoteNodeGetCPUMap(virConnectPtr conn,
@@ -8516,7 +8553,8 @@ static virHypervisorDriver hypervisor_driver = {
     .connectCompareHypervisorCPU = remoteConnectCompareHypervisorCPU, /* 4.4.0 */
     .connectBaselineHypervisorCPU = remoteConnectBaselineHypervisorCPU, /* 4.4.0 */
     .nodeGetSEVInfo = remoteNodeGetSEVInfo, /* 4.5.0 */
-    .domainGetLaunchSecurityInfo = remoteDomainGetLaunchSecurityInfo /* 4.5.0 */
+    .domainGetLaunchSecurityInfo = remoteDomainGetLaunchSecurityInfo, /* 4.5.0 */
+	.nodeGetMKTMEInfo = remoteNodeGetMKTMEInfo /* 5.3.0 */
 };
 
 static virNetworkDriver network_driver = {
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index 11f44ee267..b7806f42fa 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -260,6 +260,9 @@ const REMOTE_DOMAIN_IOTHREAD_PARAMS_MAX = 64;
 /* Upper limit on number of SEV parameters */
 const REMOTE_NODE_SEV_INFO_MAX = 64;
 
+/* Upper limit on number of MKTME parameters */
+const REMOTE_NODE_MKTME_INFO_MAX = 64;
+
 /* Upper limit on number of launch security information entries */
 const REMOTE_DOMAIN_LAUNCH_SECURITY_INFO_PARAMS_MAX = 64;
 
@@ -3573,6 +3576,16 @@ struct remote_connect_get_storage_pool_capabilities_ret {
     remote_nonnull_string capabilities;
 };
 
+struct remote_node_get_mktme_info_args {
+    int nparams;
+    unsigned int flags;
+};
+
+struct remote_node_get_mktme_info_ret {
+    remote_typed_param params<REMOTE_NODE_MKTME_INFO_MAX>;
+    int nparams;
+};
+
 /*----- Protocol. -----*/
 
 /* Define the program number, protocol version and procedure numbers here. */
@@ -6342,5 +6355,11 @@ enum remote_procedure {
      * @generate: both
      * @acl: connect:read
      */
-    REMOTE_PROC_CONNECT_GET_STORAGE_POOL_CAPABILITIES = 403
+    REMOTE_PROC_CONNECT_GET_STORAGE_POOL_CAPABILITIES = 403,
+
+	/**
+     * @generate: none
+     * @acl: connect:read
+     */
+    REMOTE_PROC_NODE_GET_MKTME_INFO = 404
 };
diff --git a/src/remote_protocol-structs b/src/remote_protocol-structs
index 768189c573..0f469d68a1 100644
--- a/src/remote_protocol-structs
+++ b/src/remote_protocol-structs
@@ -2981,6 +2981,17 @@ struct remote_connect_get_storage_pool_capabilities_args {
 struct remote_connect_get_storage_pool_capabilities_ret {
         remote_nonnull_string      capabilities;
 };
+struct remote_node_get_mktme_info_args {
+        int                        nparams;
+        u_int                      flags;
+};
+struct remote_node_get_mktme_info_ret {
+        struct {
+                u_int              params_len;
+                remote_typed_param * params_val;
+        } params;
+        int                        nparams;
+};
 enum remote_procedure {
         REMOTE_PROC_CONNECT_OPEN = 1,
         REMOTE_PROC_CONNECT_CLOSE = 2,
@@ -3385,4 +3396,5 @@ enum remote_procedure {
         REMOTE_PROC_CONNECT_LIST_ALL_NWFILTER_BINDINGS = 401,
         REMOTE_PROC_DOMAIN_SET_IOTHREAD_PARAMS = 402,
         REMOTE_PROC_CONNECT_GET_STORAGE_POOL_CAPABILITIES = 403,
+		REMOTE_PROC_NODE_GET_MKTME_INFO = 404,
 };
diff --git a/src/util/Makefile.inc.am b/src/util/Makefile.inc.am
index c757f5a6ae..ad4aa89873 100644
--- a/src/util/Makefile.inc.am
+++ b/src/util/Makefile.inc.am
@@ -228,6 +228,8 @@ UTIL_SOURCES = \
 	util/virmdev.h \
 	util/virfilecache.c \
 	util/virfilecache.h \
+	util/virmktme.c \
+	util/virmktme.h \
 	$(NULL)
 
 
diff --git a/src/util/virmktme.c b/src/util/virmktme.c
new file mode 100644
index 0000000000..714f4e8a2e
--- /dev/null
+++ b/src/util/virmktme.c
@@ -0,0 +1,112 @@
+/*
+* virmktme.c: interaction with processes
+*
+* Copyright (C) 2010-2015 Red Hat, Inc.
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public
+* License as published by the Free Software Foundation; either
+* version 2.1 of the License, or (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this library.  If not, see
+* <http://www.gnu.org/licenses/>.
+*
+*/
+#ifdef __linux__
+#include <config.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <asm/unistd.h>
+#include <linux/keyctl.h>
+#endif
+#include "virerror.h"
+#include "virlog.h"
+#include "viraudit.h"
+#include "virfile.h"
+#include "viralloc.h"
+#include "virutil.h"
+#include "virstring.h"
+#include "virmktme.h"
+
+VIR_LOG_INIT("util.mktme");
+// Libvirt thread specific dest keyring
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+/**
+* virGetMktmeKey:
+* @id: mktme id-string
+* @type :  mktme key type
+* @key :  user key value
+* @encyption_algorithm : encryption algorithm
+*
+* returns mktme key-handle , this handle is used to encrypt the memory
+* return -1 in case of failue
+*/
+
+#ifdef __linux__
+#define GET_MKTME_DEST_RING()						\
+{									\
+    destringid = syscall(__NR_request_key,"keyring",			\
+	   LIBVIRT_MKTME_KEY_RING_NAME, KEY_SPEC_PROCESS_KEYRING);	\
+}
+#else
+#define GET_MKTME_DEST_RING()
+#endif
+
+int
+virGetMktmeKeyHandle(const char* id,
+	const char* type,
+	const char* key,
+	const char *algorithm)
+{
+    char *callout = NULL;
+    int destringid = -1;
+
+    int ret = -1;
+
+    if (!id || !type || !algorithm )
+       return -1;
+
+    GET_MKTME_DEST_RING();
+    if(destringid < 0)
+        return -1;
+
+    if (key) {
+        if (virAsprintf(&callout, "type=%s algorithm=%s key=%s",
+		        type, algorithm, key) < 0)
+	    return -1;
+	}
+	else {
+	    if (virAsprintf(&callout, "type=%s algorithm=%s", type, algorithm) < 0)
+		return -1;
+	}
+
+#ifdef __linux__
+    ret = syscall(__NR_request_key,"mktme", id, callout, destringid);
+    VIR_FREE(callout);
+#endif
+    return ret;
+}
+
+/**
+* virMktmeIsEnabled:
+*
+* Returns MKTME initialization status
+*/
+int
+virMktmeIsEnabled(void)
+{
+    int destringid = -1;
+    GET_MKTME_DEST_RING();
+    if(destringid < 0)
+       return 0;
+
+    return 1;
+}
diff --git a/src/util/virmktme.h b/src/util/virmktme.h
new file mode 100644
index 0000000000..d698f6bfe4
--- /dev/null
+++ b/src/util/virmktme.h
@@ -0,0 +1,33 @@
+/*
+* virmktme.h: MKTME kernel calls
+*
+* Copyright (C) 2016 Red Hat, Inc.
+*
+* This library is free software; you can redistribute it and/or
+* modify it under the terms of the GNU Lesser General Public
+* License as published by the Free Software Foundation; either
+* version 2.1 of the License, or (at your option) any later version.
+*
+* This library is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this library.  If not, see
+* <http://www.gnu.org/licenses/>.
+*/
+
+
+#ifndef LIBVIRT_VIRMKTME_H
+#define LIBVIRT_VIRMKTME_H
+
+int
+virGetMktmeKeyHandle(const char* id, const char* type,
+	const char* key, const char *algorithm);
+
+int
+virMktmeIsEnabled(void);
+
+#define LIBVIRT_MKTME_KEY_RING_NAME      "mktme_key_ring_service"
+#endif
diff --git a/tests/domaincapsschemadata/bhyve_basic.x86_64.xml b/tests/domaincapsschemadata/bhyve_basic.x86_64.xml
index bdf2c4eee8..8db3340b38 100644
--- a/tests/domaincapsschemadata/bhyve_basic.x86_64.xml
+++ b/tests/domaincapsschemadata/bhyve_basic.x86_64.xml
@@ -32,5 +32,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/bhyve_fbuf.x86_64.xml b/tests/domaincapsschemadata/bhyve_fbuf.x86_64.xml
index f998c457c1..397c7c7ae2 100644
--- a/tests/domaincapsschemadata/bhyve_fbuf.x86_64.xml
+++ b/tests/domaincapsschemadata/bhyve_fbuf.x86_64.xml
@@ -49,5 +49,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/bhyve_uefi.x86_64.xml b/tests/domaincapsschemadata/bhyve_uefi.x86_64.xml
index 18f90023d5..f5c2c67fd8 100644
--- a/tests/domaincapsschemadata/bhyve_uefi.x86_64.xml
+++ b/tests/domaincapsschemadata/bhyve_uefi.x86_64.xml
@@ -41,5 +41,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/empty.xml b/tests/domaincapsschemadata/empty.xml
index 6c3f5f54fd..2ebefe8a05 100644
--- a/tests/domaincapsschemadata/empty.xml
+++ b/tests/domaincapsschemadata/empty.xml
@@ -12,5 +12,6 @@
   </devices>
   <features>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/libxl-xenfv.xml b/tests/domaincapsschemadata/libxl-xenfv.xml
index 4efc137c97..09c04374b9 100644
--- a/tests/domaincapsschemadata/libxl-xenfv.xml
+++ b/tests/domaincapsschemadata/libxl-xenfv.xml
@@ -75,5 +75,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/libxl-xenpv.xml b/tests/domaincapsschemadata/libxl-xenpv.xml
index 70e598fe9e..aac2a2cba6 100644
--- a/tests/domaincapsschemadata/libxl-xenpv.xml
+++ b/tests/domaincapsschemadata/libxl-xenpv.xml
@@ -65,5 +65,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_1.7.0.x86_64.xml b/tests/domaincapsschemadata/qemu_1.7.0.x86_64.xml
index 06908cc61e..8e55093e39 100644
--- a/tests/domaincapsschemadata/qemu_1.7.0.x86_64.xml
+++ b/tests/domaincapsschemadata/qemu_1.7.0.x86_64.xml
@@ -122,5 +122,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.12.0-virt.aarch64.xml b/tests/domaincapsschemadata/qemu_2.12.0-virt.aarch64.xml
index 5983a60887..ff0d410846 100644
--- a/tests/domaincapsschemadata/qemu_2.12.0-virt.aarch64.xml
+++ b/tests/domaincapsschemadata/qemu_2.12.0-virt.aarch64.xml
@@ -130,5 +130,6 @@
     <vmcoreinfo supported='yes'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.12.0.ppc64.xml b/tests/domaincapsschemadata/qemu_2.12.0.ppc64.xml
index 42c67623f4..158827f607 100644
--- a/tests/domaincapsschemadata/qemu_2.12.0.ppc64.xml
+++ b/tests/domaincapsschemadata/qemu_2.12.0.ppc64.xml
@@ -90,5 +90,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.12.0.s390x.xml b/tests/domaincapsschemadata/qemu_2.12.0.s390x.xml
index 4804c13329..71beea4258 100644
--- a/tests/domaincapsschemadata/qemu_2.12.0.s390x.xml
+++ b/tests/domaincapsschemadata/qemu_2.12.0.s390x.xml
@@ -182,5 +182,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.12.0.x86_64.xml b/tests/domaincapsschemadata/qemu_2.12.0.x86_64.xml
index f5f54cb484..559bbdda0b 100644
--- a/tests/domaincapsschemadata/qemu_2.12.0.x86_64.xml
+++ b/tests/domaincapsschemadata/qemu_2.12.0.x86_64.xml
@@ -158,5 +158,6 @@
       <cbitpos>47</cbitpos>
       <reducedPhysBits>1</reducedPhysBits>
     </sev>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.6.0-virt.aarch64.xml b/tests/domaincapsschemadata/qemu_2.6.0-virt.aarch64.xml
index 99ee16e4bb..30f70cd80d 100644
--- a/tests/domaincapsschemadata/qemu_2.6.0-virt.aarch64.xml
+++ b/tests/domaincapsschemadata/qemu_2.6.0-virt.aarch64.xml
@@ -127,5 +127,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.6.0.aarch64.xml b/tests/domaincapsschemadata/qemu_2.6.0.aarch64.xml
index 61fdae009a..293dd3d4f5 100644
--- a/tests/domaincapsschemadata/qemu_2.6.0.aarch64.xml
+++ b/tests/domaincapsschemadata/qemu_2.6.0.aarch64.xml
@@ -121,5 +121,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.6.0.ppc64.xml b/tests/domaincapsschemadata/qemu_2.6.0.ppc64.xml
index a33960a2af..dedd4ed799 100644
--- a/tests/domaincapsschemadata/qemu_2.6.0.ppc64.xml
+++ b/tests/domaincapsschemadata/qemu_2.6.0.ppc64.xml
@@ -94,5 +94,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.6.0.x86_64.xml b/tests/domaincapsschemadata/qemu_2.6.0.x86_64.xml
index 94fe08bc92..a5fc6d46ee 100644
--- a/tests/domaincapsschemadata/qemu_2.6.0.x86_64.xml
+++ b/tests/domaincapsschemadata/qemu_2.6.0.x86_64.xml
@@ -129,5 +129,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.7.0.s390x.xml b/tests/domaincapsschemadata/qemu_2.7.0.s390x.xml
index 1057573681..ea51c0aee9 100644
--- a/tests/domaincapsschemadata/qemu_2.7.0.s390x.xml
+++ b/tests/domaincapsschemadata/qemu_2.7.0.s390x.xml
@@ -87,5 +87,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.8.0-tcg.x86_64.xml b/tests/domaincapsschemadata/qemu_2.8.0-tcg.x86_64.xml
index 39f3bd6d9f..2505bfe316 100644
--- a/tests/domaincapsschemadata/qemu_2.8.0-tcg.x86_64.xml
+++ b/tests/domaincapsschemadata/qemu_2.8.0-tcg.x86_64.xml
@@ -130,5 +130,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.8.0.s390x.xml b/tests/domaincapsschemadata/qemu_2.8.0.s390x.xml
index 9ae9a1a8bc..fa7e0d2fb5 100644
--- a/tests/domaincapsschemadata/qemu_2.8.0.s390x.xml
+++ b/tests/domaincapsschemadata/qemu_2.8.0.s390x.xml
@@ -168,5 +168,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.8.0.x86_64.xml b/tests/domaincapsschemadata/qemu_2.8.0.x86_64.xml
index 1770c81fdb..deb8210590 100644
--- a/tests/domaincapsschemadata/qemu_2.8.0.x86_64.xml
+++ b/tests/domaincapsschemadata/qemu_2.8.0.x86_64.xml
@@ -130,5 +130,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.9.0-q35.x86_64.xml b/tests/domaincapsschemadata/qemu_2.9.0-q35.x86_64.xml
index e2ec30fda7..89d3038557 100644
--- a/tests/domaincapsschemadata/qemu_2.9.0-q35.x86_64.xml
+++ b/tests/domaincapsschemadata/qemu_2.9.0-q35.x86_64.xml
@@ -139,5 +139,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='yes'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.9.0-tcg.x86_64.xml b/tests/domaincapsschemadata/qemu_2.9.0-tcg.x86_64.xml
index 65226ee284..9aaa3e41c8 100644
--- a/tests/domaincapsschemadata/qemu_2.9.0-tcg.x86_64.xml
+++ b/tests/domaincapsschemadata/qemu_2.9.0-tcg.x86_64.xml
@@ -162,5 +162,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='yes'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_2.9.0.x86_64.xml b/tests/domaincapsschemadata/qemu_2.9.0.x86_64.xml
index 0093877a0b..0f9d1400a1 100644
--- a/tests/domaincapsschemadata/qemu_2.9.0.x86_64.xml
+++ b/tests/domaincapsschemadata/qemu_2.9.0.x86_64.xml
@@ -139,5 +139,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='yes'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_3.0.0.s390x.xml b/tests/domaincapsschemadata/qemu_3.0.0.s390x.xml
index c8efefc5ba..af2217f05b 100644
--- a/tests/domaincapsschemadata/qemu_3.0.0.s390x.xml
+++ b/tests/domaincapsschemadata/qemu_3.0.0.s390x.xml
@@ -188,5 +188,6 @@
     <vmcoreinfo supported='no'/>
     <genid supported='no'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml b/tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml
index ca3baab88c..e00c816980 100644
--- a/tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml
+++ b/tests/domaincapsschemadata/qemu_3.1.0.x86_64.xml
@@ -157,5 +157,6 @@
     <vmcoreinfo supported='yes'/>
     <genid supported='yes'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml b/tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml
index 42d8949e61..53d1663368 100644
--- a/tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml
+++ b/tests/domaincapsschemadata/qemu_4.0.0.x86_64.xml
@@ -157,5 +157,6 @@
     <vmcoreinfo supported='yes'/>
     <genid supported='yes'/>
     <sev supported='no'/>
+    <mktme supported='no'/>
   </features>
 </domainCapabilities>
diff --git a/tests/domaincapsschemadata/qemu_5.0.0.x86_64.xml b/tests/domaincapsschemadata/qemu_5.0.0.x86_64.xml
new file mode 100644
index 0000000000..3d0c70faab
--- /dev/null
+++ b/tests/domaincapsschemadata/qemu_5.0.0.x86_64.xml
@@ -0,0 +1,164 @@
+<domainCapabilities>
+  <path>/usr/bin/qemu-system-x86_64</path>
+  <domain>kvm</domain>
+  <machine>pc-i440fx-4.0</machine>
+  <arch>x86_64</arch>
+  <vcpu max='255'/>
+  <iothreads supported='yes'/>
+  <os supported='yes'>
+    <enum name='firmware'>
+      <value>bios</value>
+      <value>efi</value>
+    </enum>
+    <loader supported='yes'>
+      <value>/usr/share/AAVMF/AAVMF_CODE.fd</value>
+      <value>/usr/share/AAVMF/AAVMF32_CODE.fd</value>
+      <value>/usr/share/OVMF/OVMF_CODE.fd</value>
+      <enum name='type'>
+        <value>rom</value>
+        <value>pflash</value>
+      </enum>
+      <enum name='readonly'>
+        <value>yes</value>
+        <value>no</value>
+      </enum>
+      <enum name='secure'>
+        <value>no</value>
+      </enum>
+    </loader>
+  </os>
+  <cpu>
+    <mode name='host-passthrough' supported='yes'/>
+    <mode name='host-model' supported='yes'>
+      <model fallback='forbid'>Skylake-Client-IBRS</model>
+      <vendor>Intel</vendor>
+      <feature policy='require' name='ss'/>
+      <feature policy='require' name='hypervisor'/>
+      <feature policy='require' name='tsc_adjust'/>
+      <feature policy='require' name='clflushopt'/>
+      <feature policy='require' name='umip'/>
+      <feature policy='require' name='arch-capabilities'/>
+      <feature policy='require' name='ssbd'/>
+      <feature policy='require' name='xsaves'/>
+      <feature policy='require' name='pdpe1gb'/>
+      <feature policy='require' name='invtsc'/>
+    </mode>
+    <mode name='custom' supported='yes'>
+      <model usable='yes'>qemu64</model>
+      <model usable='yes'>qemu32</model>
+      <model usable='no'>phenom</model>
+      <model usable='yes'>pentium3</model>
+      <model usable='yes'>pentium2</model>
+      <model usable='yes'>pentium</model>
+      <model usable='yes'>n270</model>
+      <model usable='yes'>kvm64</model>
+      <model usable='yes'>kvm32</model>
+      <model usable='yes'>coreduo</model>
+      <model usable='yes'>core2duo</model>
+      <model usable='no'>athlon</model>
+      <model usable='yes'>Westmere-IBRS</model>
+      <model usable='yes'>Westmere</model>
+      <model usable='no'>Skylake-Server-IBRS</model>
+      <model usable='no'>Skylake-Server</model>
+      <model usable='yes'>Skylake-Client-IBRS</model>
+      <model usable='yes'>Skylake-Client</model>
+      <model usable='yes'>SandyBridge-IBRS</model>
+      <model usable='yes'>SandyBridge</model>
+      <model usable='yes'>Penryn</model>
+      <model usable='no'>Opteron_G5</model>
+      <model usable='no'>Opteron_G4</model>
+      <model usable='no'>Opteron_G3</model>
+      <model usable='yes'>Opteron_G2</model>
+      <model usable='yes'>Opteron_G1</model>
+      <model usable='yes'>Nehalem-IBRS</model>
+      <model usable='yes'>Nehalem</model>
+      <model usable='yes'>IvyBridge-IBRS</model>
+      <model usable='yes'>IvyBridge</model>
+      <model usable='no'>Icelake-Server</model>
+      <model usable='no'>Icelake-Client</model>
+      <model usable='yes'>Haswell-noTSX-IBRS</model>
+      <model usable='yes'>Haswell-noTSX</model>
+      <model usable='yes'>Haswell-IBRS</model>
+      <model usable='yes'>Haswell</model>
+      <model usable='no'>EPYC-IBPB</model>
+      <model usable='no'>EPYC</model>
+      <model usable='yes'>Conroe</model>
+      <model usable='no'>Cascadelake-Server</model>
+      <model usable='yes'>Broadwell-noTSX-IBRS</model>
+      <model usable='yes'>Broadwell-noTSX</model>
+      <model usable='yes'>Broadwell-IBRS</model>
+      <model usable='yes'>Broadwell</model>
+      <model usable='yes'>486</model>
+    </mode>
+  </cpu>
+  <devices>
+    <disk supported='yes'>
+      <enum name='diskDevice'>
+        <value>disk</value>
+        <value>cdrom</value>
+        <value>floppy</value>
+        <value>lun</value>
+      </enum>
+      <enum name='bus'>
+        <value>ide</value>
+        <value>fdc</value>
+        <value>scsi</value>
+        <value>virtio</value>
+        <value>usb</value>
+        <value>sata</value>
+      </enum>
+      <enum name='model'>
+        <value>virtio</value>
+        <value>virtio-transitional</value>
+        <value>virtio-non-transitional</value>
+      </enum>
+    </disk>
+    <graphics supported='yes'>
+      <enum name='type'>
+        <value>sdl</value>
+        <value>vnc</value>
+        <value>spice</value>
+      </enum>
+    </graphics>
+    <video supported='yes'>
+      <enum name='modelType'>
+        <value>vga</value>
+        <value>cirrus</value>
+        <value>vmvga</value>
+        <value>qxl</value>
+        <value>virtio</value>
+      </enum>
+    </video>
+    <hostdev supported='yes'>
+      <enum name='mode'>
+        <value>subsystem</value>
+      </enum>
+      <enum name='startupPolicy'>
+        <value>default</value>
+        <value>mandatory</value>
+        <value>requisite</value>
+        <value>optional</value>
+      </enum>
+      <enum name='subsysType'>
+        <value>usb</value>
+        <value>pci</value>
+        <value>scsi</value>
+      </enum>
+      <enum name='capsType'/>
+      <enum name='pciBackend'>
+        <value>default</value>
+        <value>kvm</value>
+        <value>vfio</value>
+      </enum>
+    </hostdev>
+  </devices>
+  <features>
+    <gic supported='no'/>
+    <vmcoreinfo supported='yes'/>
+    <genid supported='yes'/>
+    <sev supported='no'/>
+    <mktme supported='yes'>
+      <keys_supported>15</keys_supported>
+    </mktme>
+  </features>
+</domainCapabilities>
diff --git a/tests/domaincapstest.c b/tests/domaincapstest.c
index f87a1d63fb..dc6eb9ba07 100644
--- a/tests/domaincapstest.c
+++ b/tests/domaincapstest.c
@@ -449,6 +449,10 @@ mymain(void)
     DO_TEST_QEMU("4.0.0", "caps_4.0.0",
                  "/usr/bin/qemu-system-x86_64", NULL,
                  "x86_64", VIR_DOMAIN_VIRT_KVM);
+
+    DO_TEST_QEMU("5.0.0", "caps_5.0.0",
+                 "/usr/bin/qemu-system-x86_64", NULL,
+                 "x86_64", VIR_DOMAIN_VIRT_KVM);
     virObjectUnref(cfg);
 
     virFileWrapperClearPrefixes();
diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml
new file mode 100644
index 0000000000..4bd9209147
--- /dev/null
+++ b/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml
@@ -0,0 +1,1389 @@
+<qemuCaps>
+  <qemuctime>0</qemuctime>
+  <selfctime>0</selfctime>
+  <selfvers>0</selfvers>
+  <flag name='kvm'/>
+  <flag name='no-hpet'/>
+  <flag name='spice'/>
+  <flag name='hda-duplex'/>
+  <flag name='ccid-emulated'/>
+  <flag name='ccid-passthru'/>
+  <flag name='virtio-tx-alg'/>
+  <flag name='virtio-blk-pci.ioeventfd'/>
+  <flag name='sga'/>
+  <flag name='virtio-blk-pci.event_idx'/>
+  <flag name='virtio-net-pci.event_idx'/>
+  <flag name='piix3-usb-uhci'/>
+  <flag name='piix4-usb-uhci'/>
+  <flag name='usb-ehci'/>
+  <flag name='ich9-usb-ehci1'/>
+  <flag name='vt82c686b-usb-uhci'/>
+  <flag name='pci-ohci'/>
+  <flag name='usb-redir'/>
+  <flag name='usb-hub'/>
+  <flag name='ich9-ahci'/>
+  <flag name='no-acpi'/>
+  <flag name='virtio-blk-pci.scsi'/>
+  <flag name='scsi-disk.channel'/>
+  <flag name='scsi-block'/>
+  <flag name='hda-micro'/>
+  <flag name='dump-guest-memory'/>
+  <flag name='nec-usb-xhci'/>
+  <flag name='lsi'/>
+  <flag name='virtio-scsi-pci'/>
+  <flag name='blockio'/>
+  <flag name='disable-s3'/>
+  <flag name='disable-s4'/>
+  <flag name='usb-redir.filter'/>
+  <flag name='ide-drive.wwn'/>
+  <flag name='scsi-disk.wwn'/>
+  <flag name='seccomp-sandbox'/>
+  <flag name='reboot-timeout'/>
+  <flag name='vnc'/>
+  <flag name='qxl'/>
+  <flag name='VGA'/>
+  <flag name='cirrus-vga'/>
+  <flag name='vmware-svga'/>
+  <flag name='device-video-primary'/>
+  <flag name='usb-serial'/>
+  <flag name='nbd-server'/>
+  <flag name='virtio-rng'/>
+  <flag name='rng-random'/>
+  <flag name='rng-egd'/>
+  <flag name='megasas'/>
+  <flag name='tpm-passthrough'/>
+  <flag name='tpm-tis'/>
+  <flag name='pci-bridge'/>
+  <flag name='vfio-pci'/>
+  <flag name='mem-merge'/>
+  <flag name='drive-discard'/>
+  <flag name='dmi-to-pci-bridge'/>
+  <flag name='i440fx-pci-hole64-size'/>
+  <flag name='q35-pci-hole64-size'/>
+  <flag name='usb-storage'/>
+  <flag name='usb-storage.removable'/>
+  <flag name='ich9-intel-hda'/>
+  <flag name='kvm-pit-lost-tick-policy'/>
+  <flag name='boot-strict'/>
+  <flag name='pvpanic'/>
+  <flag name='spice-file-xfer-disable'/>
+  <flag name='usb-kbd'/>
+  <flag name='msg-timestamp'/>
+  <flag name='active-commit'/>
+  <flag name='change-backing-file'/>
+  <flag name='memory-backend-ram'/>
+  <flag name='numa'/>
+  <flag name='memory-backend-file'/>
+  <flag name='usb-audio'/>
+  <flag name='rtc-reset-reinjection'/>
+  <flag name='splash-timeout'/>
+  <flag name='iothread'/>
+  <flag name='migrate-rdma'/>
+  <flag name='drive-iotune-max'/>
+  <flag name='VGA.vgamem_mb'/>
+  <flag name='vmware-svga.vgamem_mb'/>
+  <flag name='qxl.vgamem_mb'/>
+  <flag name='pc-dimm'/>
+  <flag name='machine-vmport-opt'/>
+  <flag name='aes-key-wrap'/>
+  <flag name='dea-key-wrap'/>
+  <flag name='pci-serial'/>
+  <flag name='vhost-user-multiqueue'/>
+  <flag name='migration-event'/>
+  <flag name='ioh3420'/>
+  <flag name='x3130-upstream'/>
+  <flag name='xio3130-downstream'/>
+  <flag name='rtl8139'/>
+  <flag name='e1000'/>
+  <flag name='virtio-net'/>
+  <flag name='gic-version'/>
+  <flag name='incoming-defer'/>
+  <flag name='virtio-gpu'/>
+  <flag name='virtio-gpu.virgl'/>
+  <flag name='virtio-keyboard'/>
+  <flag name='virtio-mouse'/>
+  <flag name='virtio-tablet'/>
+  <flag name='virtio-input-host'/>
+  <flag name='chardev-file-append'/>
+  <flag name='ich9-disable-s3'/>
+  <flag name='ich9-disable-s4'/>
+  <flag name='vserport-change-event'/>
+  <flag name='virtio-balloon-pci.deflate-on-oom'/>
+  <flag name='mptsas1068'/>
+  <flag name='spice-gl'/>
+  <flag name='qxl.vram64_size_mb'/>
+  <flag name='chardev-logfile'/>
+  <flag name='debug-threads'/>
+  <flag name='secret'/>
+  <flag name='pxb'/>
+  <flag name='pxb-pcie'/>
+  <flag name='nec-usb-xhci-ports'/>
+  <flag name='virtio-scsi-pci.iothread'/>
+  <flag name='name-guest'/>
+  <flag name='qxl.max_outputs'/>
+  <flag name='spice-unix'/>
+  <flag name='drive-detect-zeroes'/>
+  <flag name='tls-creds-x509'/>
+  <flag name='intel-iommu'/>
+  <flag name='smm'/>
+  <flag name='virtio-pci-disable-legacy'/>
+  <flag name='query-hotpluggable-cpus'/>
+  <flag name='virtio-net.rx_queue_size'/>
+  <flag name='virtio-vga'/>
+  <flag name='drive-iotune-max-length'/>
+  <flag name='ivshmem-plain'/>
+  <flag name='ivshmem-doorbell'/>
+  <flag name='query-qmp-schema'/>
+  <flag name='gluster.debug_level'/>
+  <flag name='vhost-scsi'/>
+  <flag name='drive-iotune-group'/>
+  <flag name='query-cpu-model-expansion'/>
+  <flag name='virtio-net.host_mtu'/>
+  <flag name='spice-rendernode'/>
+  <flag name='nvdimm'/>
+  <flag name='pcie-root-port'/>
+  <flag name='query-cpu-definitions'/>
+  <flag name='block-write-threshold'/>
+  <flag name='query-named-block-nodes'/>
+  <flag name='cpu-cache'/>
+  <flag name='qemu-xhci'/>
+  <flag name='kernel-irqchip'/>
+  <flag name='kernel-irqchip.split'/>
+  <flag name='intel-iommu.intremap'/>
+  <flag name='intel-iommu.caching-mode'/>
+  <flag name='intel-iommu.eim'/>
+  <flag name='intel-iommu.device-iotlb'/>
+  <flag name='virtio.iommu_platform'/>
+  <flag name='virtio.ats'/>
+  <flag name='loadparm'/>
+  <flag name='vnc-multi-servers'/>
+  <flag name='virtio-net.tx_queue_size'/>
+  <flag name='chardev-reconnect'/>
+  <flag name='virtio-gpu.max_outputs'/>
+  <flag name='vxhs'/>
+  <flag name='virtio-blk.num-queues'/>
+  <flag name='vmcoreinfo'/>
+  <flag name='numa.dist'/>
+  <flag name='disk-share-rw'/>
+  <flag name='iscsi.password-secret'/>
+  <flag name='isa-serial'/>
+  <flag name='dump-completed'/>
+  <flag name='qcow2-luks'/>
+  <flag name='pcie-pci-bridge'/>
+  <flag name='seccomp-blacklist'/>
+  <flag name='query-cpus-fast'/>
+  <flag name='disk-write-cache'/>
+  <flag name='nbd-tls'/>
+  <flag name='tpm-crb'/>
+  <flag name='pr-manager-helper'/>
+  <flag name='qom-list-properties'/>
+  <flag name='memory-backend-file.discard-data'/>
+  <flag name='sdl-gl'/>
+  <flag name='screendump_device'/>
+  <flag name='hda-output'/>
+  <flag name='blockdev-del'/>
+  <flag name='vmgenid'/>
+  <flag name='vhost-vsock'/>
+  <flag name='chardev-fd-pass'/>
+  <flag name='tpm-emulator'/>
+  <flag name='mch'/>
+  <flag name='mch.extended-tseg-mbytes'/>
+  <flag name='usb-storage.werror'/>
+  <flag name='egl-headless'/>
+  <flag name='vfio-pci.display'/>
+  <flag name='memory-backend-memfd'/>
+  <flag name='memory-backend-memfd.hugetlb'/>
+  <flag name='iothread.poll-max-ns'/>
+  <flag name='egl-headless.rendernode'/>
+  <flag name='memory-backend-file.align'/>
+  <flag name='memory-backend-file.pmem'/>
+  <flag name='nvdimm.unarmed'/>
+  <flag name='scsi-disk.device_id'/>
+  <flag name='virtio-pci-non-transitional'/>
+  <flag name='overcommit'/>
+  <flag name='mktme-guest'/>
+  <version>3001050</version>
+  <kvmVersion>0</kvmVersion>
+  <microcodeVersion>43100758</microcodeVersion>
+  <package>v3.1.0-1445-ga61faa3d02</package>
+  <arch>x86_64</arch>
+  <hostCPU type='kvm' model='base' migratability='yes'>
+    <property name='phys-bits' type='number' value='0'/>
+    <property name='core-id' type='number' value='-1'/>
+    <property name='xlevel' type='number' value='2147483656'/>
+    <property name='cmov' type='boolean' value='true' migratable='yes'/>
+    <property name='ia64' type='boolean' value='false'/>
+    <property name='ssb-no' type='boolean' value='false'/>
+    <property name='aes' type='boolean' value='true' migratable='yes'/>
+    <property name='mmx' type='boolean' value='true' migratable='yes'/>
+    <property name='rdpid' type='boolean' value='false'/>
+    <property name='arat' type='boolean' value='true' migratable='yes'/>
+    <property name='gfni' type='boolean' value='false'/>
+    <property name='ibrs-all' type='boolean' value='false'/>
+    <property name='pause-filter' type='boolean' value='false'/>
+    <property name='xsavec' type='boolean' value='true' migratable='yes'/>
+    <property name='intel-pt' type='boolean' value='false'/>
+    <property name='hv-frequencies' type='boolean' value='false'/>
+    <property name='tsc-frequency' type='number' value='0'/>
+    <property name='xd' type='boolean' value='true' migratable='yes'/>
+    <property name='hv-vendor-id' type='string' value=''/>
+    <property name='kvm-asyncpf' type='boolean' value='true' migratable='yes'/>
+    <property name='kvm_asyncpf' type='boolean' value='true' migratable='yes'/>
+    <property name='perfctr_core' type='boolean' value='false'/>
+    <property name='perfctr-core' type='boolean' value='false'/>
+    <property name='mpx' type='boolean' value='true' migratable='yes'/>
+    <property name='pbe' type='boolean' value='false'/>
+    <property name='decodeassists' type='boolean' value='false'/>
+    <property name='avx512cd' type='boolean' value='false'/>
+    <property name='sse4_1' type='boolean' value='true' migratable='yes'/>
+    <property name='sse4.1' type='boolean' value='true' migratable='yes'/>
+    <property name='sse4-1' type='boolean' value='true' migratable='yes'/>
+    <property name='family' type='number' value='6'/>
+    <property name='legacy-cache' type='boolean' value='true' migratable='yes'/>
+    <property name='host-phys-bits-limit' type='number' value='0'/>
+    <property name='vmware-cpuid-freq' type='boolean' value='true' migratable='yes'/>
+    <property name='wbnoinvd' type='boolean' value='false'/>
+    <property name='avx512f' type='boolean' value='false'/>
+    <property name='msr' type='boolean' value='true' migratable='yes'/>
+    <property name='mce' type='boolean' value='true' migratable='yes'/>
+    <property name='mca' type='boolean' value='true' migratable='yes'/>
+    <property name='hv-runtime' type='boolean' value='false'/>
+    <property name='xcrypt' type='boolean' value='false'/>
+    <property name='thread-id' type='number' value='-1'/>
+    <property name='min-level' type='number' value='13'/>
+    <property name='xgetbv1' type='boolean' value='true' migratable='yes'/>
+    <property name='cid' type='boolean' value='false'/>
+    <property name='hv-relaxed' type='boolean' value='false'/>
+    <property name='hv-crash' type='boolean' value='false'/>
+    <property name='ds' type='boolean' value='false'/>
+    <property name='fxsr' type='boolean' value='true' migratable='yes'/>
+    <property name='xsaveopt' type='boolean' value='true' migratable='yes'/>
+    <property name='xtpr' type='boolean' value='false'/>
+    <property name='hv-evmcs' type='boolean' value='false'/>
+    <property name='avx512vl' type='boolean' value='false'/>
+    <property name='avx512-vpopcntdq' type='boolean' value='false'/>
+    <property name='phe' type='boolean' value='false'/>
+    <property name='extapic' type='boolean' value='false'/>
+    <property name='3dnowprefetch' type='boolean' value='true' migratable='yes'/>
+    <property name='avx512vbmi2' type='boolean' value='false'/>
+    <property name='cr8legacy' type='boolean' value='false'/>
+    <property name='stibp' type='boolean' value='false'/>
+    <property name='cpuid-0xb' type='boolean' value='true' migratable='yes'/>
+    <property name='xcrypt-en' type='boolean' value='false'/>
+    <property name='kvm_pv_eoi' type='boolean' value='true' migratable='yes'/>
+    <property name='apic-id' type='number' value='4294967295'/>
+    <property name='rsba' type='boolean' value='false'/>
+    <property name='pn' type='boolean' value='false'/>
+    <property name='dca' type='boolean' value='false'/>
+    <property name='vendor' type='string' value='GenuineIntel'/>
+    <property name='hv-ipi' type='boolean' value='false'/>
+    <property name='pku' type='boolean' value='false'/>
+    <property name='smx' type='boolean' value='false'/>
+    <property name='cmp_legacy' type='boolean' value='false'/>
+    <property name='cmp-legacy' type='boolean' value='false'/>
+    <property name='node-id' type='number' value='-1'/>
+    <property name='avx512-4fmaps' type='boolean' value='false'/>
+    <property name='vmcb_clean' type='boolean' value='false'/>
+    <property name='vmcb-clean' type='boolean' value='false'/>
+    <property name='3dnowext' type='boolean' value='false'/>
+    <property name='amd-no-ssb' type='boolean' value='false'/>
+    <property name='hle' type='boolean' value='true' migratable='yes'/>
+    <property name='npt' type='boolean' value='false'/>
+    <property name='rdctl-no' type='boolean' value='false'/>
+    <property name='memory' type='string' value='/machine/unattached/system[0]'/>
+    <property name='clwb' type='boolean' value='false'/>
+    <property name='lbrv' type='boolean' value='false'/>
+    <property name='adx' type='boolean' value='true' migratable='yes'/>
+    <property name='ss' type='boolean' value='true' migratable='yes'/>
+    <property name='pni' type='boolean' value='true' migratable='yes'/>
+    <property name='svm_lock' type='boolean' value='false'/>
+    <property name='svm-lock' type='boolean' value='false'/>
+    <property name='pfthreshold' type='boolean' value='false'/>
+    <property name='smep' type='boolean' value='true' migratable='yes'/>
+    <property name='smap' type='boolean' value='true' migratable='yes'/>
+    <property name='x2apic' type='boolean' value='true' migratable='yes'/>
+    <property name='avx512vbmi' type='boolean' value='false'/>
+    <property name='avx512vnni' type='boolean' value='false'/>
+    <property name='hv-stimer' type='boolean' value='false'/>
+    <property name='x-hv-synic-kvm-only' type='boolean' value='false'/>
+    <property name='i64' type='boolean' value='true' migratable='yes'/>
+    <property name='flushbyasid' type='boolean' value='false'/>
+    <property name='f16c' type='boolean' value='true' migratable='yes'/>
+    <property name='ace2-en' type='boolean' value='false'/>
+    <property name='pat' type='boolean' value='true' migratable='yes'/>
+    <property name='pae' type='boolean' value='true' migratable='yes'/>
+    <property name='sse' type='boolean' value='true' migratable='yes'/>
+    <property name='phe-en' type='boolean' value='false'/>
+    <property name='kvm_nopiodelay' type='boolean' value='true' migratable='yes'/>
+    <property name='kvm-nopiodelay' type='boolean' value='true' migratable='yes'/>
+    <property name='tm' type='boolean' value='false'/>
+    <property name='kvmclock-stable-bit' type='boolean' value='true' migratable='yes'/>
+    <property name='hypervisor' type='boolean' value='true' migratable='yes'/>
+    <property name='socket-id' type='number' value='-1'/>
+    <property name='pcommit' type='boolean' value='false'/>
+    <property name='syscall' type='boolean' value='true' migratable='yes'/>
+    <property name='level' type='number' value='13'/>
+    <property name='avx512dq' type='boolean' value='false'/>
+    <property name='x-migrate-smi-count' type='boolean' value='true' migratable='yes'/>
+    <property name='svm' type='boolean' value='false'/>
+    <property name='full-cpuid-auto-level' type='boolean' value='true' migratable='yes'/>
+    <property name='hv-reset' type='boolean' value='false'/>
+    <property name='invtsc' type='boolean' value='true' migratable='no'/>
+    <property name='sse3' type='boolean' value='true' migratable='yes'/>
+    <property name='sse2' type='boolean' value='true' migratable='yes'/>
+    <property name='ssbd' type='boolean' value='true' migratable='yes'/>
+    <property name='est' type='boolean' value='false'/>
+    <property name='avx512ifma' type='boolean' value='false'/>
+    <property name='tm2' type='boolean' value='false'/>
+    <property name='kvm-pv-ipi' type='boolean' value='true' migratable='yes'/>
+    <property name='kvm-pv-eoi' type='boolean' value='true' migratable='yes'/>
+    <property name='cx8' type='boolean' value='true' migratable='yes'/>
+    <property name='cldemote' type='boolean' value='false'/>
+    <property name='hv-reenlightenment' type='boolean' value='false'/>
+    <property name='kvm_mmu' type='boolean' value='false'/>
+    <property name='kvm-mmu' type='boolean' value='false'/>
+    <property name='sse4_2' type='boolean' value='true' migratable='yes'/>
+    <property name='sse4.2' type='boolean' value='true' migratable='yes'/>
+    <property name='sse4-2' type='boolean' value='true' migratable='yes'/>
+    <property name='pge' type='boolean' value='true' migratable='yes'/>
+    <property name='fill-mtrr-mask' type='boolean' value='true' migratable='yes'/>
+    <property name='avx512bitalg' type='boolean' value='false'/>
+    <property name='nodeid_msr' type='boolean' value='false'/>
+    <property name='pdcm' type='boolean' value='false'/>
+    <property name='movbe' type='boolean' value='true' migratable='yes'/>
+    <property name='model' type='number' value='94'/>
+    <property name='nrip_save' type='boolean' value='false'/>
+    <property name='nrip-save' type='boolean' value='false'/>
+    <property name='kvm_pv_unhalt' type='boolean' value='true' migratable='yes'/>
+    <property name='ssse3' type='boolean' value='true' migratable='yes'/>
+    <property name='sse4a' type='boolean' value='false'/>
+    <property name='invpcid' type='boolean' value='true' migratable='yes'/>
+    <property name='pdpe1gb' type='boolean' value='true' migratable='yes'/>
+    <property name='tsc-deadline' type='boolean' value='true' migratable='yes'/>
+    <property name='skip-l1dfl-vmentry' type='boolean' value='true' migratable='yes'/>
+    <property name='fma' type='boolean' value='true' migratable='yes'/>
+    <property name='cx16' type='boolean' value='true' migratable='yes'/>
+    <property name='de' type='boolean' value='true' migratable='yes'/>
+    <property name='pconfig' type='boolean' value='false'/>
+    <property name='enforce' type='boolean' value='false'/>
+    <property name='stepping' type='number' value='3'/>
+    <property name='xsave' type='boolean' value='true' migratable='yes'/>
+    <property name='clflush' type='boolean' value='true' migratable='yes'/>
+    <property name='skinit' type='boolean' value='false'/>
+    <property name='tsc' type='boolean' value='true' migratable='yes'/>
+    <property name='tce' type='boolean' value='false'/>
+    <property name='fpu' type='boolean' value='true' migratable='yes'/>
+    <property name='ibs' type='boolean' value='false'/>
+    <property name='ds_cpl' type='boolean' value='false'/>
+    <property name='ds-cpl' type='boolean' value='false'/>
+    <property name='host-phys-bits' type='boolean' value='false'/>
+    <property name='fma4' type='boolean' value='false'/>
+    <property name='la57' type='boolean' value='false'/>
+    <property name='osvw' type='boolean' value='false'/>
+    <property name='check' type='boolean' value='true' migratable='yes'/>
+    <property name='hv-spinlocks' type='number' value='-1'/>
+    <property name='pmu' type='boolean' value='false'/>
+    <property name='pmm' type='boolean' value='false'/>
+    <property name='apic' type='boolean' value='true' migratable='yes'/>
+    <property name='spec-ctrl' type='boolean' value='true' migratable='yes'/>
+    <property name='min-xlevel2' type='number' value='0'/>
+    <property name='tsc-adjust' type='boolean' value='true' migratable='yes'/>
+    <property name='tsc_adjust' type='boolean' value='true' migratable='yes'/>
+    <property name='kvm-steal-time' type='boolean' value='true' migratable='yes'/>
+    <property name='kvm_steal_time' type='boolean' value='true' migratable='yes'/>
+    <property name='kvmclock' type='boolean' value='true' migratable='yes'/>
+    <property name='l3-cache' type='boolean' value='true' migratable='yes'/>
+    <property name='lwp' type='boolean' value='false'/>
+    <property name='amd-ssbd' type='boolean' value='false'/>
+    <property name='ibpb' type='boolean' value='false'/>
+    <property name='xop' type='boolean' value='false'/>
+    <property name='avx' type='boolean' value='true' migratable='yes'/>
+    <property name='movdiri' type='boolean' value='false'/>
+    <property name='ace2' type='boolean' value='false'/>
+    <property name='avx512bw' type='boolean' value='false'/>
+    <property name='acpi' type='boolean' value='false'/>
+    <property name='hv-vapic' type='boolean' value='false'/>
+    <property name='fsgsbase' type='boolean' value='true' migratable='yes'/>
+    <property name='ht' type='boolean' value='false'/>
+    <property name='nx' type='boolean' value='true' migratable='yes'/>
+    <property name='pclmulqdq' type='boolean' value='true' migratable='yes'/>
+    <property name='mmxext' type='boolean' value='false'/>
+    <property name='vaes' type='boolean' value='false'/>
+    <property name='popcnt' type='boolean' value='true' migratable='yes'/>
+    <property name='xsaves' type='boolean' value='true' migratable='yes'/>
+    <property name='movdir64b' type='boolean' value='false'/>
+    <property name='tcg-cpuid' type='boolean' value='true' migratable='yes'/>
+    <property name='lm' type='boolean' value='true' migratable='yes'/>
+    <property name='umip' type='boolean' value='true' migratable='yes'/>
+    <property name='pse' type='boolean' value='true' migratable='yes'/>
+    <property name='avx2' type='boolean' value='true' migratable='yes'/>
+    <property name='sep' type='boolean' value='true' migratable='yes'/>
+    <property name='pclmuldq' type='boolean' value='true' migratable='yes'/>
+    <property name='virt-ssbd' type='boolean' value='false'/>
+    <property name='x-hv-max-vps' type='number' value='-1'/>
+    <property name='nodeid-msr' type='boolean' value='false'/>
+    <property name='kvm' type='boolean' value='true' migratable='yes'/>
+    <property name='misalignsse' type='boolean' value='false'/>
+    <property name='min-xlevel' type='number' value='2147483656'/>
+    <property name='kvm-pv-unhalt' type='boolean' value='true' migratable='yes'/>
+    <property name='bmi2' type='boolean' value='true' migratable='yes'/>
+    <property name='bmi1' type='boolean' value='true' migratable='yes'/>
+    <property name='realized' type='boolean' value='false'/>
+    <property name='tsc_scale' type='boolean' value='false'/>
+    <property name='tsc-scale' type='boolean' value='false'/>
+    <property name='topoext' type='boolean' value='false'/>
+    <property name='hv-vpindex' type='boolean' value='false'/>
+    <property name='xlevel2' type='number' value='0'/>
+    <property name='clflushopt' type='boolean' value='true' migratable='yes'/>
+    <property name='kvm-no-smi-migration' type='boolean' value='false'/>
+    <property name='monitor' type='boolean' value='false'/>
+    <property name='avx512er' type='boolean' value='false'/>
+    <property name='pmm-en' type='boolean' value='false'/>
+    <property name='pcid' type='boolean' value='true' migratable='yes'/>
+    <property name='arch-capabilities' type='boolean' value='true' migratable='no'/>
+    <property name='3dnow' type='boolean' value='false'/>
+    <property name='erms' type='boolean' value='true' migratable='yes'/>
+    <property name='lahf-lm' type='boolean' value='true' migratable='yes'/>
+    <property name='lahf_lm' type='boolean' value='true' migratable='yes'/>
+    <property name='vpclmulqdq' type='boolean' value='false'/>
+    <property name='fxsr-opt' type='boolean' value='false'/>
+    <property name='hv-synic' type='boolean' value='false'/>
+    <property name='xstore' type='boolean' value='false'/>
+    <property name='fxsr_opt' type='boolean' value='false'/>
+    <property name='kvm-hint-dedicated' type='boolean' value='false'/>
+    <property name='rtm' type='boolean' value='true' migratable='yes'/>
+    <property name='lmce' type='boolean' value='true' migratable='yes'/>
+    <property name='hv-time' type='boolean' value='false'/>
+    <property name='perfctr-nb' type='boolean' value='false'/>
+    <property name='perfctr_nb' type='boolean' value='false'/>
+    <property name='ffxsr' type='boolean' value='false'/>
+    <property name='hv-tlbflush' type='boolean' value='false'/>
+    <property name='rdrand' type='boolean' value='true' migratable='yes'/>
+    <property name='rdseed' type='boolean' value='true' migratable='yes'/>
+    <property name='avx512-4vnniw' type='boolean' value='false'/>
+    <property name='vmx' type='boolean' value='false'/>
+    <property name='vme' type='boolean' value='true' migratable='yes'/>
+    <property name='dtes64' type='boolean' value='false'/>
+    <property name='mtrr' type='boolean' value='true' migratable='yes'/>
+    <property name='rdtscp' type='boolean' value='true' migratable='yes'/>
+    <property name='pse36' type='boolean' value='true' migratable='yes'/>
+    <property name='kvm-pv-tlb-flush' type='boolean' value='true' migratable='yes'/>
+    <property name='tbm' type='boolean' value='false'/>
+    <property name='wdt' type='boolean' value='false'/>
+    <property name='pause_filter' type='boolean' value='false'/>
+    <property name='sha-ni' type='boolean' value='false'/>
+    <property name='model-id' type='string' value='Intel(R) Xeon(R) CPU E3-1245 v5 @ 3.50GHz'/>
+    <property name='abm' type='boolean' value='true' migratable='yes'/>
+    <property name='avx512pf' type='boolean' value='false'/>
+    <property name='xstore-en' type='boolean' value='false'/>
+  </hostCPU>
+  <hostCPU type='tcg' model='base' migratability='yes'>
+    <property name='phys-bits' type='number' value='0'/>
+    <property name='core-id' type='number' value='-1'/>
+    <property name='xlevel' type='number' value='2147483658'/>
+    <property name='cmov' type='boolean' value='true' migratable='yes'/>
+    <property name='ia64' type='boolean' value='false'/>
+    <property name='ssb-no' type='boolean' value='false'/>
+    <property name='aes' type='boolean' value='true' migratable='yes'/>
+    <property name='mmx' type='boolean' value='true' migratable='yes'/>
+    <property name='rdpid' type='boolean' value='false'/>
+    <property name='arat' type='boolean' value='true' migratable='yes'/>
+    <property name='gfni' type='boolean' value='false'/>
+    <property name='ibrs-all' type='boolean' value='false'/>
+    <property name='pause-filter' type='boolean' value='false'/>
+    <property name='xsavec' type='boolean' value='false'/>
+    <property name='intel-pt' type='boolean' value='false'/>
+    <property name='hv-frequencies' type='boolean' value='false'/>
+    <property name='tsc-frequency' type='number' value='0'/>
+    <property name='xd' type='boolean' value='true' migratable='yes'/>
+    <property name='hv-vendor-id' type='string' value=''/>
+    <property name='kvm-asyncpf' type='boolean' value='false'/>
+    <property name='kvm_asyncpf' type='boolean' value='false'/>
+    <property name='perfctr_core' type='boolean' value='false'/>
+    <property name='perfctr-core' type='boolean' value='false'/>
+    <property name='mpx' type='boolean' value='true' migratable='yes'/>
+    <property name='pbe' type='boolean' value='false'/>
+    <property name='decodeassists' type='boolean' value='false'/>
+    <property name='avx512cd' type='boolean' value='false'/>
+    <property name='sse4_1' type='boolean' value='true' migratable='yes'/>
+    <property name='sse4.1' type='boolean' value='true' migratable='yes'/>
+    <property name='sse4-1' type='boolean' value='true' migratable='yes'/>
+    <property name='family' type='number' value='6'/>
+    <property name='legacy-cache' type='boolean' value='true' migratable='yes'/>
+    <property name='host-phys-bits-limit' type='number' value='0'/>
+    <property name='vmware-cpuid-freq' type='boolean' value='true' migratable='yes'/>
+    <property name='wbnoinvd' type='boolean' value='false'/>
+    <property name='avx512f' type='boolean' value='false'/>
+    <property name='msr' type='boolean' value='true' migratable='yes'/>
+    <property name='mce' type='boolean' value='true' migratable='yes'/>
+    <property name='mca' type='boolean' value='true' migratable='yes'/>
+    <property name='hv-runtime' type='boolean' value='false'/>
+    <property name='xcrypt' type='boolean' value='false'/>
+    <property name='thread-id' type='number' value='-1'/>
+    <property name='min-level' type='number' value='13'/>
+    <property name='xgetbv1' type='boolean' value='true' migratable='yes'/>
+    <property name='cid' type='boolean' value='false'/>
+    <property name='hv-relaxed' type='boolean' value='false'/>
+    <property name='hv-crash' type='boolean' value='false'/>
+    <property name='ds' type='boolean' value='false'/>
+    <property name='fxsr' type='boolean' value='true' migratable='yes'/>
+    <property name='xsaveopt' type='boolean' value='true' migratable='yes'/>
+    <property name='xtpr' type='boolean' value='false'/>
+    <property name='hv-evmcs' type='boolean' value='false'/>
+    <property name='avx512vl' type='boolean' value='false'/>
+    <property name='avx512-vpopcntdq' type='boolean' value='false'/>
+    <property name='phe' type='boolean' value='false'/>
+    <property name='extapic' type='boolean' value='false'/>
+    <property name='3dnowprefetch' type='boolean' value='false'/>
+    <property name='avx512vbmi2' type='boolean' value='false'/>
+    <property name='cr8legacy' type='boolean' value='true' migratable='yes'/>
+    <property name='stibp' type='boolean' value='false'/>
+    <property name='cpuid-0xb' type='boolean' value='true' migratable='yes'/>
+    <property name='xcrypt-en' type='boolean' value='false'/>
+    <property name='kvm_pv_eoi' type='boolean' value='false'/>
+    <property name='apic-id' type='number' value='4294967295'/>
+    <property name='rsba' type='boolean' value='false'/>
+    <property name='pn' type='boolean' value='false'/>
+    <property name='dca' type='boolean' value='false'/>
+    <property name='vendor' type='string' value='AuthenticAMD'/>
+    <property name='hv-ipi' type='boolean' value='false'/>
+    <property name='pku' type='boolean' value='true' migratable='yes'/>
+    <property name='smx' type='boolean' value='false'/>
+    <property name='cmp_legacy' type='boolean' value='false'/>
+    <property name='cmp-legacy' type='boolean' value='false'/>
+    <property name='node-id' type='number' value='-1'/>
+    <property name='avx512-4fmaps' type='boolean' value='false'/>
+    <property name='vmcb_clean' type='boolean' value='false'/>
+    <property name='vmcb-clean' type='boolean' value='false'/>
+    <property name='3dnowext' type='boolean' value='true' migratable='yes'/>
+    <property name='amd-no-ssb' type='boolean' value='false'/>
+    <property name='hle' type='boolean' value='false'/>
+    <property name='npt' type='boolean' value='true' migratable='yes'/>
+    <property name='rdctl-no' type='boolean' value='false'/>
+    <property name='memory' type='string' value='/machine/unattached/system[0]'/>
+    <property name='clwb' type='boolean' value='true' migratable='yes'/>
+    <property name='lbrv' type='boolean' value='false'/>
+    <property name='adx' type='boolean' value='true' migratable='yes'/>
+    <property name='ss' type='boolean' value='true' migratable='yes'/>
+    <property name='pni' type='boolean' value='true' migratable='yes'/>
+    <property name='svm_lock' type='boolean' value='false'/>
+    <property name='svm-lock' type='boolean' value='false'/>
+    <property name='pfthreshold' type='boolean' value='false'/>
+    <property name='smep' type='boolean' value='true' migratable='yes'/>
+    <property name='smap' type='boolean' value='true' migratable='yes'/>
+    <property name='x2apic' type='boolean' value='false'/>
+    <property name='avx512vbmi' type='boolean' value='false'/>
+    <property name='avx512vnni' type='boolean' value='false'/>
+    <property name='hv-stimer' type='boolean' value='false'/>
+    <property name='x-hv-synic-kvm-only' type='boolean' value='false'/>
+    <property name='i64' type='boolean' value='true' migratable='yes'/>
+    <property name='flushbyasid' type='boolean' value='false'/>
+    <property name='f16c' type='boolean' value='false'/>
+    <property name='ace2-en' type='boolean' value='false'/>
+    <property name='pat' type='boolean' value='true' migratable='yes'/>
+    <property name='pae' type='boolean' value='true' migratable='yes'/>
+    <property name='sse' type='boolean' value='true' migratable='yes'/>
+    <property name='phe-en' type='boolean' value='false'/>
+    <property name='kvm_nopiodelay' type='boolean' value='false'/>
+    <property name='kvm-nopiodelay' type='boolean' value='false'/>
+    <property name='tm' type='boolean' value='false'/>
+    <property name='kvmclock-stable-bit' type='boolean' value='false'/>
+    <property name='hypervisor' type='boolean' value='true' migratable='yes'/>
+    <property name='socket-id' type='number' value='-1'/>
+    <property name='pcommit' type='boolean' value='true' migratable='yes'/>
+    <property name='syscall' type='boolean' value='true' migratable='yes'/>
+    <property name='level' type='number' value='13'/>
+    <property name='avx512dq' type='boolean' value='false'/>
+    <property name='x-migrate-smi-count' type='boolean' value='true' migratable='yes'/>
+    <property name='svm' type='boolean' value='true' migratable='yes'/>
+    <property name='full-cpuid-auto-level' type='boolean' value='true' migratable='yes'/>
+    <property name='hv-reset' type='boolean' value='false'/>
+    <property name='invtsc' type='boolean' value='false'/>
+    <property name='sse3' type='boolean' value='true' migratable='yes'/>
+    <property name='sse2' type='boolean' value='true' migratable='yes'/>
+    <property name='ssbd' type='boolean' value='false'/>
+    <property name='est' type='boolean' value='false'/>
+    <property name='avx512ifma' type='boolean' value='false'/>
+    <property name='tm2' type='boolean' value='false'/>
+    <property name='kvm-pv-ipi' type='boolean' value='false'/>
+    <property name='kvm-pv-eoi' type='boolean' value='false'/>
+    <property name='cx8' type='boolean' value='true' migratable='yes'/>
+    <property name='cldemote' type='boolean' value='false'/>
+    <property name='hv-reenlightenment' type='boolean' value='false'/>
+    <property name='kvm_mmu' type='boolean' value='false'/>
+    <property name='kvm-mmu' type='boolean' value='false'/>
+    <property name='sse4_2' type='boolean' value='true' migratable='yes'/>
+    <property name='sse4.2' type='boolean' value='true' migratable='yes'/>
+    <property name='sse4-2' type='boolean' value='true' migratable='yes'/>
+    <property name='pge' type='boolean' value='true' migratable='yes'/>
+    <property name='fill-mtrr-mask' type='boolean' value='true' migratable='yes'/>
+    <property name='avx512bitalg' type='boolean' value='false'/>
+    <property name='nodeid_msr' type='boolean' value='false'/>
+    <property name='pdcm' type='boolean' value='false'/>
+    <property name='movbe' type='boolean' value='true' migratable='yes'/>
+    <property name='model' type='number' value='6'/>
+    <property name='nrip_save' type='boolean' value='false'/>
+    <property name='nrip-save' type='boolean' value='false'/>
+    <property name='kvm_pv_unhalt' type='boolean' value='false'/>
+    <property name='ssse3' type='boolean' value='true' migratable='yes'/>
+    <property name='sse4a' type='boolean' value='true' migratable='yes'/>
+    <property name='invpcid' type='boolean' value='false'/>
+    <property name='pdpe1gb' type='boolean' value='true' migratable='yes'/>
+    <property name='tsc-deadline' type='boolean' value='false'/>
+    <property name='skip-l1dfl-vmentry' type='boolean' value='false'/>
+    <property name='fma' type='boolean' value='false'/>
+    <property name='cx16' type='boolean' value='true' migratable='yes'/>
+    <property name='de' type='boolean' value='true' migratable='yes'/>
+    <property name='pconfig' type='boolean' value='false'/>
+    <property name='enforce' type='boolean' value='false'/>
+    <property name='stepping' type='number' value='3'/>
+    <property name='xsave' type='boolean' value='true' migratable='yes'/>
+    <property name='clflush' type='boolean' value='true' migratable='yes'/>
+    <property name='skinit' type='boolean' value='false'/>
+    <property name='tsc' type='boolean' value='true' migratable='yes'/>
+    <property name='tce' type='boolean' value='false'/>
+    <property name='fpu' type='boolean' value='true' migratable='yes'/>
+    <property name='ibs' type='boolean' value='false'/>
+    <property name='ds_cpl' type='boolean' value='false'/>
+    <property name='ds-cpl' type='boolean' value='false'/>
+    <property name='host-phys-bits' type='boolean' value='false'/>
+    <property name='fma4' type='boolean' value='false'/>
+    <property name='la57' type='boolean' value='true' migratable='yes'/>
+    <property name='osvw' type='boolean' value='false'/>
+    <property name='check' type='boolean' value='true' migratable='yes'/>
+    <property name='hv-spinlocks' type='number' value='-1'/>
+    <property name='pmu' type='boolean' value='false'/>
+    <property name='pmm' type='boolean' value='false'/>
+    <property name='apic' type='boolean' value='true' migratable='yes'/>
+    <property name='spec-ctrl' type='boolean' value='false'/>
+    <property name='min-xlevel2' type='number' value='0'/>
+    <property name='tsc-adjust' type='boolean' value='false'/>
+    <property name='tsc_adjust' type='boolean' value='false'/>
+    <property name='kvm-steal-time' type='boolean' value='false'/>
+    <property name='kvm_steal_time' type='boolean' value='false'/>
+    <property name='kvmclock' type='boolean' value='false'/>
+    <property name='l3-cache' type='boolean' value='true' migratable='yes'/>
+    <property name='lwp' type='boolean' value='false'/>
+    <property name='amd-ssbd' type='boolean' value='false'/>
+    <property name='ibpb' type='boolean' value='false'/>
+    <property name='xop' type='boolean' value='false'/>
+    <property name='avx' type='boolean' value='false'/>
+    <property name='movdiri' type='boolean' value='false'/>
+    <property name='ace2' type='boolean' value='false'/>
+    <property name='avx512bw' type='boolean' value='false'/>
+    <property name='acpi' type='boolean' value='true' migratable='yes'/>
+    <property name='hv-vapic' type='boolean' value='false'/>
+    <property name='fsgsbase' type='boolean' value='true' migratable='yes'/>
+    <property name='ht' type='boolean' value='false'/>
+    <property name='nx' type='boolean' value='true' migratable='yes'/>
+    <property name='pclmulqdq' type='boolean' value='true' migratable='yes'/>
+    <property name='mmxext' type='boolean' value='true' migratable='yes'/>
+    <property name='vaes' type='boolean' value='false'/>
+    <property name='popcnt' type='boolean' value='true' migratable='yes'/>
+    <property name='xsaves' type='boolean' value='false'/>
+    <property name='movdir64b' type='boolean' value='false'/>
+    <property name='tcg-cpuid' type='boolean' value='true' migratable='yes'/>
+    <property name='lm' type='boolean' value='true' migratable='yes'/>
+    <property name='umip' type='boolean' value='false'/>
+    <property name='pse' type='boolean' value='true' migratable='yes'/>
+    <property name='avx2' type='boolean' value='false'/>
+    <property name='sep' type='boolean' value='true' migratable='yes'/>
+    <property name='pclmuldq' type='boolean' value='true' migratable='yes'/>
+    <property name='virt-ssbd' type='boolean' value='false'/>
+    <property name='x-hv-max-vps' type='number' value='-1'/>
+    <property name='nodeid-msr' type='boolean' value='false'/>
+    <property name='kvm' type='boolean' value='true' migratable='yes'/>
+    <property name='misalignsse' type='boolean' value='false'/>
+    <property name='min-xlevel' type='number' value='2147483658'/>
+    <property name='kvm-pv-unhalt' type='boolean' value='false'/>
+    <property name='bmi2' type='boolean' value='true' migratable='yes'/>
+    <property name='bmi1' type='boolean' value='true' migratable='yes'/>
+    <property name='realized' type='boolean' value='false'/>
+    <property name='tsc_scale' type='boolean' value='false'/>
+    <property name='tsc-scale' type='boolean' value='false'/>
+    <property name='topoext' type='boolean' value='false'/>
+    <property name='hv-vpindex' type='boolean' value='false'/>
+    <property name='xlevel2' type='number' value='0'/>
+    <property name='clflushopt' type='boolean' value='true' migratable='yes'/>
+    <property name='kvm-no-smi-migration' type='boolean' value='false'/>
+    <property name='monitor' type='boolean' value='true' migratable='yes'/>
+    <property name='avx512er' type='boolean' value='false'/>
+    <property name='pmm-en' type='boolean' value='false'/>
+    <property name='pcid' type='boolean' value='false'/>
+    <property name='arch-capabilities' type='boolean' value='false'/>
+    <property name='3dnow' type='boolean' value='true' migratable='yes'/>
+    <property name='erms' type='boolean' value='true' migratable='yes'/>
+    <property name='lahf-lm' type='boolean' value='true' migratable='yes'/>
+    <property name='lahf_lm' type='boolean' value='true' migratable='yes'/>
+    <property name='vpclmulqdq' type='boolean' value='false'/>
+    <property name='fxsr-opt' type='boolean' value='false'/>
+    <property name='hv-synic' type='boolean' value='false'/>
+    <property name='xstore' type='boolean' value='false'/>
+    <property name='fxsr_opt' type='boolean' value='false'/>
+    <property name='kvm-hint-dedicated' type='boolean' value='false'/>
+    <property name='rtm' type='boolean' value='false'/>
+    <property name='lmce' type='boolean' value='false'/>
+    <property name='hv-time' type='boolean' value='false'/>
+    <property name='perfctr-nb' type='boolean' value='false'/>
+    <property name='perfctr_nb' type='boolean' value='false'/>
+    <property name='ffxsr' type='boolean' value='false'/>
+    <property name='hv-tlbflush' type='boolean' value='false'/>
+    <property name='rdrand' type='boolean' value='false'/>
+    <property name='rdseed' type='boolean' value='false'/>
+    <property name='avx512-4vnniw' type='boolean' value='false'/>
+    <property name='vmx' type='boolean' value='false'/>
+    <property name='vme' type='boolean' value='false'/>
+    <property name='dtes64' type='boolean' value='false'/>
+    <property name='mtrr' type='boolean' value='true' migratable='yes'/>
+    <property name='rdtscp' type='boolean' value='true' migratable='yes'/>
+    <property name='pse36' type='boolean' value='true' migratable='yes'/>
+    <property name='kvm-pv-tlb-flush' type='boolean' value='false'/>
+    <property name='tbm' type='boolean' value='false'/>
+    <property name='wdt' type='boolean' value='false'/>
+    <property name='pause_filter' type='boolean' value='false'/>
+    <property name='sha-ni' type='boolean' value='false'/>
+    <property name='model-id' type='string' value='QEMU TCG CPU version 2.5+'/>
+    <property name='abm' type='boolean' value='true' migratable='yes'/>
+    <property name='avx512pf' type='boolean' value='false'/>
+    <property name='xstore-en' type='boolean' value='false'/>
+  </hostCPU>
+  <cpu type='kvm' name='max' usable='yes'/>
+  <cpu type='kvm' name='host' usable='yes'/>
+  <cpu type='kvm' name='base' usable='yes'/>
+  <cpu type='kvm' name='qemu64' usable='yes'/>
+  <cpu type='kvm' name='qemu32' usable='yes'/>
+  <cpu type='kvm' name='phenom' usable='no'>
+    <blocker name='mmxext'/>
+    <blocker name='fxsr-opt'/>
+    <blocker name='3dnowext'/>
+    <blocker name='3dnow'/>
+    <blocker name='sse4a'/>
+    <blocker name='npt'/>
+  </cpu>
+  <cpu type='kvm' name='pentium3' usable='yes'/>
+  <cpu type='kvm' name='pentium2' usable='yes'/>
+  <cpu type='kvm' name='pentium' usable='yes'/>
+  <cpu type='kvm' name='n270' usable='yes'/>
+  <cpu type='kvm' name='kvm64' usable='yes'/>
+  <cpu type='kvm' name='kvm32' usable='yes'/>
+  <cpu type='kvm' name='coreduo' usable='yes'/>
+  <cpu type='kvm' name='core2duo' usable='yes'/>
+  <cpu type='kvm' name='athlon' usable='no'>
+    <blocker name='mmxext'/>
+    <blocker name='3dnowext'/>
+    <blocker name='3dnow'/>
+  </cpu>
+  <cpu type='kvm' name='Westmere-IBRS' usable='yes'/>
+  <cpu type='kvm' name='Westmere' usable='yes'/>
+  <cpu type='kvm' name='Skylake-Server-IBRS' usable='no'>
+    <blocker name='avx512f'/>
+    <blocker name='avx512dq'/>
+    <blocker name='clwb'/>
+    <blocker name='avx512cd'/>
+    <blocker name='avx512bw'/>
+    <blocker name='avx512vl'/>
+    <blocker name='pku'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512f'/>
+    <blocker name='pku'/>
+  </cpu>
+  <cpu type='kvm' name='Skylake-Server' usable='no'>
+    <blocker name='avx512f'/>
+    <blocker name='avx512dq'/>
+    <blocker name='clwb'/>
+    <blocker name='avx512cd'/>
+    <blocker name='avx512bw'/>
+    <blocker name='avx512vl'/>
+    <blocker name='pku'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512f'/>
+    <blocker name='pku'/>
+  </cpu>
+  <cpu type='kvm' name='Skylake-Client-IBRS' usable='yes'/>
+  <cpu type='kvm' name='Skylake-Client' usable='yes'/>
+  <cpu type='kvm' name='SandyBridge-IBRS' usable='yes'/>
+  <cpu type='kvm' name='SandyBridge' usable='yes'/>
+  <cpu type='kvm' name='Penryn' usable='yes'/>
+  <cpu type='kvm' name='Opteron_G5' usable='no'>
+    <blocker name='sse4a'/>
+    <blocker name='misalignsse'/>
+    <blocker name='xop'/>
+    <blocker name='fma4'/>
+    <blocker name='tbm'/>
+    <blocker name='npt'/>
+    <blocker name='nrip-save'/>
+  </cpu>
+  <cpu type='kvm' name='Opteron_G4' usable='no'>
+    <blocker name='sse4a'/>
+    <blocker name='misalignsse'/>
+    <blocker name='xop'/>
+    <blocker name='fma4'/>
+    <blocker name='npt'/>
+    <blocker name='nrip-save'/>
+  </cpu>
+  <cpu type='kvm' name='Opteron_G3' usable='no'>
+    <blocker name='sse4a'/>
+    <blocker name='misalignsse'/>
+  </cpu>
+  <cpu type='kvm' name='Opteron_G2' usable='yes'/>
+  <cpu type='kvm' name='Opteron_G1' usable='yes'/>
+  <cpu type='kvm' name='Nehalem-IBRS' usable='yes'/>
+  <cpu type='kvm' name='Nehalem' usable='yes'/>
+  <cpu type='kvm' name='KnightsMill' usable='no'>
+    <blocker name='avx512f'/>
+    <blocker name='avx512pf'/>
+    <blocker name='avx512er'/>
+    <blocker name='avx512cd'/>
+    <blocker name='avx512-vpopcntdq'/>
+    <blocker name='avx512-4vnniw'/>
+    <blocker name='avx512-4fmaps'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512f'/>
+  </cpu>
+  <cpu type='kvm' name='IvyBridge-IBRS' usable='yes'/>
+  <cpu type='kvm' name='IvyBridge' usable='yes'/>
+  <cpu type='kvm' name='Icelake-Server' usable='no'>
+    <blocker name='avx512f'/>
+    <blocker name='avx512dq'/>
+    <blocker name='clwb'/>
+    <blocker name='intel-pt'/>
+    <blocker name='avx512cd'/>
+    <blocker name='avx512bw'/>
+    <blocker name='avx512vl'/>
+    <blocker name='avx512vbmi'/>
+    <blocker name='pku'/>
+    <blocker name=''/>
+    <blocker name='avx512vbmi2'/>
+    <blocker name='gfni'/>
+    <blocker name='vaes'/>
+    <blocker name='vpclmulqdq'/>
+    <blocker name='avx512vnni'/>
+    <blocker name='avx512bitalg'/>
+    <blocker name='avx512-vpopcntdq'/>
+    <blocker name='la57'/>
+    <blocker name='pconfig'/>
+    <blocker name='wbnoinvd'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512f'/>
+    <blocker name='pku'/>
+  </cpu>
+  <cpu type='kvm' name='Icelake-Client' usable='no'>
+    <blocker name='intel-pt'/>
+    <blocker name='avx512vbmi'/>
+    <blocker name='pku'/>
+    <blocker name=''/>
+    <blocker name='avx512vbmi2'/>
+    <blocker name='gfni'/>
+    <blocker name='vaes'/>
+    <blocker name='vpclmulqdq'/>
+    <blocker name='avx512vnni'/>
+    <blocker name='avx512bitalg'/>
+    <blocker name='avx512-vpopcntdq'/>
+    <blocker name='wbnoinvd'/>
+    <blocker name='pku'/>
+  </cpu>
+  <cpu type='kvm' name='Haswell-noTSX-IBRS' usable='yes'/>
+  <cpu type='kvm' name='Haswell-noTSX' usable='yes'/>
+  <cpu type='kvm' name='Haswell-IBRS' usable='yes'/>
+  <cpu type='kvm' name='Haswell' usable='yes'/>
+  <cpu type='kvm' name='EPYC-IBPB' usable='no'>
+    <blocker name='sha-ni'/>
+    <blocker name='mmxext'/>
+    <blocker name='fxsr-opt'/>
+    <blocker name='cr8legacy'/>
+    <blocker name='sse4a'/>
+    <blocker name='misalignsse'/>
+    <blocker name='osvw'/>
+    <blocker name='ibpb'/>
+    <blocker name='npt'/>
+    <blocker name='nrip-save'/>
+  </cpu>
+  <cpu type='kvm' name='EPYC' usable='no'>
+    <blocker name='sha-ni'/>
+    <blocker name='mmxext'/>
+    <blocker name='fxsr-opt'/>
+    <blocker name='cr8legacy'/>
+    <blocker name='sse4a'/>
+    <blocker name='misalignsse'/>
+    <blocker name='osvw'/>
+    <blocker name='npt'/>
+    <blocker name='nrip-save'/>
+  </cpu>
+  <cpu type='kvm' name='Conroe' usable='yes'/>
+  <cpu type='kvm' name='Cascadelake-Server' usable='no'>
+    <blocker name='avx512f'/>
+    <blocker name='avx512dq'/>
+    <blocker name='clwb'/>
+    <blocker name='intel-pt'/>
+    <blocker name='avx512cd'/>
+    <blocker name='avx512bw'/>
+    <blocker name='avx512vl'/>
+    <blocker name='pku'/>
+    <blocker name=''/>
+    <blocker name='avx512vnni'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512f'/>
+    <blocker name='pku'/>
+  </cpu>
+  <cpu type='kvm' name='Broadwell-noTSX-IBRS' usable='yes'/>
+  <cpu type='kvm' name='Broadwell-noTSX' usable='yes'/>
+  <cpu type='kvm' name='Broadwell-IBRS' usable='yes'/>
+  <cpu type='kvm' name='Broadwell' usable='yes'/>
+  <cpu type='kvm' name='486' usable='yes'/>
+  <cpu type='tcg' name='max' usable='yes'/>
+  <cpu type='tcg' name='host' usable='no'>
+    <blocker name='kvm'/>
+  </cpu>
+  <cpu type='tcg' name='base' usable='yes'/>
+  <cpu type='tcg' name='qemu64' usable='yes'/>
+  <cpu type='tcg' name='qemu32' usable='yes'/>
+  <cpu type='tcg' name='phenom' usable='no'>
+    <blocker name='fxsr-opt'/>
+  </cpu>
+  <cpu type='tcg' name='pentium3' usable='yes'/>
+  <cpu type='tcg' name='pentium2' usable='yes'/>
+  <cpu type='tcg' name='pentium' usable='yes'/>
+  <cpu type='tcg' name='n270' usable='yes'/>
+  <cpu type='tcg' name='kvm64' usable='yes'/>
+  <cpu type='tcg' name='kvm32' usable='yes'/>
+  <cpu type='tcg' name='coreduo' usable='yes'/>
+  <cpu type='tcg' name='core2duo' usable='yes'/>
+  <cpu type='tcg' name='athlon' usable='yes'/>
+  <cpu type='tcg' name='Westmere-IBRS' usable='no'>
+    <blocker name='spec-ctrl'/>
+  </cpu>
+  <cpu type='tcg' name='Westmere' usable='yes'/>
+  <cpu type='tcg' name='Skylake-Server-IBRS' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='hle'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rtm'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512dq'/>
+    <blocker name='rdseed'/>
+    <blocker name='avx512cd'/>
+    <blocker name='avx512bw'/>
+    <blocker name='avx512vl'/>
+    <blocker name='spec-ctrl'/>
+    <blocker name='3dnowprefetch'/>
+    <blocker name='xsavec'/>
+  </cpu>
+  <cpu type='tcg' name='Skylake-Server' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='hle'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rtm'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512dq'/>
+    <blocker name='rdseed'/>
+    <blocker name='avx512cd'/>
+    <blocker name='avx512bw'/>
+    <blocker name='avx512vl'/>
+    <blocker name='3dnowprefetch'/>
+    <blocker name='xsavec'/>
+  </cpu>
+  <cpu type='tcg' name='Skylake-Client-IBRS' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='hle'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rtm'/>
+    <blocker name='rdseed'/>
+    <blocker name='spec-ctrl'/>
+    <blocker name='3dnowprefetch'/>
+    <blocker name='xsavec'/>
+  </cpu>
+  <cpu type='tcg' name='Skylake-Client' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='hle'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rtm'/>
+    <blocker name='rdseed'/>
+    <blocker name='3dnowprefetch'/>
+    <blocker name='xsavec'/>
+  </cpu>
+  <cpu type='tcg' name='SandyBridge-IBRS' usable='no'>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='spec-ctrl'/>
+  </cpu>
+  <cpu type='tcg' name='SandyBridge' usable='no'>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+  </cpu>
+  <cpu type='tcg' name='Penryn' usable='yes'/>
+  <cpu type='tcg' name='Opteron_G5' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='misalignsse'/>
+    <blocker name='3dnowprefetch'/>
+    <blocker name='xop'/>
+    <blocker name='fma4'/>
+    <blocker name='tbm'/>
+    <blocker name='nrip-save'/>
+  </cpu>
+  <cpu type='tcg' name='Opteron_G4' usable='no'>
+    <blocker name='avx'/>
+    <blocker name='misalignsse'/>
+    <blocker name='3dnowprefetch'/>
+    <blocker name='xop'/>
+    <blocker name='fma4'/>
+    <blocker name='nrip-save'/>
+  </cpu>
+  <cpu type='tcg' name='Opteron_G3' usable='no'>
+    <blocker name='misalignsse'/>
+  </cpu>
+  <cpu type='tcg' name='Opteron_G2' usable='yes'/>
+  <cpu type='tcg' name='Opteron_G1' usable='yes'/>
+  <cpu type='tcg' name='Nehalem-IBRS' usable='no'>
+    <blocker name='spec-ctrl'/>
+  </cpu>
+  <cpu type='tcg' name='Nehalem' usable='yes'/>
+  <cpu type='tcg' name='KnightsMill' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='avx2'/>
+    <blocker name='avx512f'/>
+    <blocker name='rdseed'/>
+    <blocker name='avx512pf'/>
+    <blocker name='avx512er'/>
+    <blocker name='avx512cd'/>
+    <blocker name='avx512-vpopcntdq'/>
+    <blocker name='avx512-4vnniw'/>
+    <blocker name='avx512-4fmaps'/>
+    <blocker name='3dnowprefetch'/>
+  </cpu>
+  <cpu type='tcg' name='IvyBridge-IBRS' usable='no'>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='spec-ctrl'/>
+  </cpu>
+  <cpu type='tcg' name='IvyBridge' usable='no'>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+  </cpu>
+  <cpu type='tcg' name='Icelake-Server' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='hle'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rtm'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512dq'/>
+    <blocker name='rdseed'/>
+    <blocker name='intel-pt'/>
+    <blocker name='avx512cd'/>
+    <blocker name='avx512bw'/>
+    <blocker name='avx512vl'/>
+    <blocker name='avx512vbmi'/>
+    <blocker name='umip'/>
+    <blocker name=''/>
+    <blocker name='avx512vbmi2'/>
+    <blocker name='gfni'/>
+    <blocker name='vaes'/>
+    <blocker name='vpclmulqdq'/>
+    <blocker name='avx512vnni'/>
+    <blocker name='avx512bitalg'/>
+    <blocker name='avx512-vpopcntdq'/>
+    <blocker name='pconfig'/>
+    <blocker name='spec-ctrl'/>
+    <blocker name='ssbd'/>
+    <blocker name='3dnowprefetch'/>
+    <blocker name='wbnoinvd'/>
+    <blocker name='xsavec'/>
+  </cpu>
+  <cpu type='tcg' name='Icelake-Client' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='hle'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rtm'/>
+    <blocker name='rdseed'/>
+    <blocker name='intel-pt'/>
+    <blocker name='avx512vbmi'/>
+    <blocker name='umip'/>
+    <blocker name=''/>
+    <blocker name='avx512vbmi2'/>
+    <blocker name='gfni'/>
+    <blocker name='vaes'/>
+    <blocker name='vpclmulqdq'/>
+    <blocker name='avx512vnni'/>
+    <blocker name='avx512bitalg'/>
+    <blocker name='avx512-vpopcntdq'/>
+    <blocker name='spec-ctrl'/>
+    <blocker name='ssbd'/>
+    <blocker name='3dnowprefetch'/>
+    <blocker name='wbnoinvd'/>
+    <blocker name='xsavec'/>
+  </cpu>
+  <cpu type='tcg' name='Haswell-noTSX-IBRS' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='spec-ctrl'/>
+  </cpu>
+  <cpu type='tcg' name='Haswell-noTSX' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+  </cpu>
+  <cpu type='tcg' name='Haswell-IBRS' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='hle'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rtm'/>
+    <blocker name='spec-ctrl'/>
+  </cpu>
+  <cpu type='tcg' name='Haswell' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='hle'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rtm'/>
+  </cpu>
+  <cpu type='tcg' name='EPYC-IBPB' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='avx2'/>
+    <blocker name='rdseed'/>
+    <blocker name='sha-ni'/>
+    <blocker name='fxsr-opt'/>
+    <blocker name='misalignsse'/>
+    <blocker name='3dnowprefetch'/>
+    <blocker name='osvw'/>
+    <blocker name='topoext'/>
+    <blocker name='ibpb'/>
+    <blocker name='nrip-save'/>
+    <blocker name='xsavec'/>
+  </cpu>
+  <cpu type='tcg' name='EPYC' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='avx2'/>
+    <blocker name='rdseed'/>
+    <blocker name='sha-ni'/>
+    <blocker name='fxsr-opt'/>
+    <blocker name='misalignsse'/>
+    <blocker name='3dnowprefetch'/>
+    <blocker name='osvw'/>
+    <blocker name='topoext'/>
+    <blocker name='nrip-save'/>
+    <blocker name='xsavec'/>
+  </cpu>
+  <cpu type='tcg' name='Conroe' usable='yes'/>
+  <cpu type='tcg' name='Cascadelake-Server' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='hle'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rtm'/>
+    <blocker name='avx512f'/>
+    <blocker name='avx512dq'/>
+    <blocker name='rdseed'/>
+    <blocker name='intel-pt'/>
+    <blocker name='avx512cd'/>
+    <blocker name='avx512bw'/>
+    <blocker name='avx512vl'/>
+    <blocker name=''/>
+    <blocker name='avx512vnni'/>
+    <blocker name='spec-ctrl'/>
+    <blocker name='ssbd'/>
+    <blocker name='3dnowprefetch'/>
+    <blocker name='xsavec'/>
+  </cpu>
+  <cpu type='tcg' name='Broadwell-noTSX-IBRS' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rdseed'/>
+    <blocker name='spec-ctrl'/>
+    <blocker name='3dnowprefetch'/>
+  </cpu>
+  <cpu type='tcg' name='Broadwell-noTSX' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rdseed'/>
+    <blocker name='3dnowprefetch'/>
+  </cpu>
+  <cpu type='tcg' name='Broadwell-IBRS' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='hle'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rtm'/>
+    <blocker name='rdseed'/>
+    <blocker name='spec-ctrl'/>
+    <blocker name='3dnowprefetch'/>
+  </cpu>
+  <cpu type='tcg' name='Broadwell' usable='no'>
+    <blocker name='fma'/>
+    <blocker name='pcid'/>
+    <blocker name='x2apic'/>
+    <blocker name='tsc-deadline'/>
+    <blocker name='avx'/>
+    <blocker name='f16c'/>
+    <blocker name='rdrand'/>
+    <blocker name='hle'/>
+    <blocker name='avx2'/>
+    <blocker name='invpcid'/>
+    <blocker name='rtm'/>
+    <blocker name='rdseed'/>
+    <blocker name='3dnowprefetch'/>
+  </cpu>
+  <cpu type='tcg' name='486' usable='yes'/>
+  <machine name='pc-i440fx-4.0' alias='pc' hotplugCpus='yes' maxCpus='255' default='yes'/>
+  <machine name='isapc' hotplugCpus='yes' maxCpus='1'/>
+  <machine name='pc-1.1' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-1.2' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-1.3' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-2.8' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-1.0' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-2.9' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-2.6' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-2.7' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-2.3' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-2.4' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-2.5' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-2.1' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-2.2' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-q35-3.1' hotplugCpus='yes' maxCpus='288'/>
+  <machine name='pc-i440fx-2.0' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-q35-2.11' hotplugCpus='yes' maxCpus='288'/>
+  <machine name='pc-q35-2.12' hotplugCpus='yes' maxCpus='288'/>
+  <machine name='pc-q35-3.0' hotplugCpus='yes' maxCpus='288'/>
+  <machine name='pc-q35-2.10' hotplugCpus='yes' maxCpus='288'/>
+  <machine name='pc-i440fx-1.7' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-q35-2.9' hotplugCpus='yes' maxCpus='288'/>
+  <machine name='pc-0.15' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-1.5' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-q35-2.7' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-1.6' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-2.11' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-q35-2.8' hotplugCpus='yes' maxCpus='288'/>
+  <machine name='pc-0.13' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-2.12' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-0.14' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-3.0' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-3.1' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-q35-2.4' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-q35-2.5' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-q35-2.6' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-2.10' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-i440fx-1.4' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-0.12' hotplugCpus='yes' maxCpus='255'/>
+  <machine name='pc-q35-4.0' alias='q35' hotplugCpus='yes' maxCpus='288'/>
+  <mktme>
+    <keys_supported>15</keys_supported>
+  </mktme>
+</qemuCaps>
-- 
2.21.0.windows.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] x86: Multi-key Total Memory Encryption (Intel)

Posted by Peter Krempa 11 weeks ago
On Wed, May 01, 2019 at 14:41:57 -0700, Larkins Carvalho wrote:
> From: llcarval <larkins.l.carvalho@intel.com>
> 
> Total Memory Encryption (TME) – provides the capability to encrypt the
> entirety of the physical memory of a system. MKTME builds on TME and
> adds support for multiple encryption keys.
> 
> High Level flow:
> 
> 1. Management tool calls virNodeGetMKTMEInfo. This returns an XML document
> that includes the following
> 
> <feature>
> ...
>   <mktme supported='yes'>
>     <keys_supported> </keys_supported>
>   </mktme>
> </feature>
> 
> 2. Management tool requests to start a guest calling virCreateXML(). The xml would include
> 
> <launchsecurity type='mktme'>
>   <id>m0</id>
>   <key_type>user</key_type>
>   <key>samplekey</key>
>   <encryption_algorithm>aes-xts-128</encryption_algorithm>
> </launchSecurity>
> 
> 3. Libvirt makes system call with the provided information to generate a key handle using linux keyring services.
> Qemu uses the key handle to launch the workload.
> 
> 4. Libvirt generate the QEMU cli arg to enable the MKTME feature, a typical
> args looks like this:
> 
> -machine memory-encryption=m0 \
> -object mktme-guest,id=m0,handle=${serial}
> 
> Intel MKTME spec: https://software.intel.com/sites/default/files/managed/a5/16/Multi-Key-Total-Memory-Encryption-Spec.pdf
> 
> WIP: Qemu and KVM patch to support Intel MKTME are in the process of development and community approval.
> 
> The purpose of this initial review is to get on par with libvirt development and the proposed Intel MKTME feature in libvirt.
> Considering we have not added tests, this is a preliminary patch and based on the community feedback, we expect more updates to follow.
> 
> TODO:
> Add tests for launch security of type mktme.
> Update domaincommon.rng to add attribute of type mktme.
> ---

>  docs/formatdomain.html.in                     |   62 +-
>  docs/formatdomaincaps.html.in                 |   18 +
>  docs/schemas/domaincaps.rng                   |   14 +
>  include/libvirt/libvirt-host.h                |   18 +
>  src/conf/domain_capabilities.c                |   29 +
>  src/conf/domain_capabilities.h                |   12 +
>  src/conf/domain_conf.c                        |  114 +-
>  src/conf/domain_conf.h                        |   13 +
>  src/conf/virconftypes.h                       |    3 +
>  src/driver-hypervisor.h                       |    7 +
>  src/libvirt-host.c                            |   48 +
>  src/libvirt_private.syms                      |    5 +
>  src/libvirt_public.syms                       |    5 +
>  src/qemu/qemu_capabilities.c                  |  130 +-
>  src/qemu/qemu_capabilities.h                  |    4 +
>  src/qemu/qemu_capspriv.h                      |    4 +
>  src/qemu/qemu_command.c                       |   40 +
>  src/qemu/qemu_driver.c                        |   63 +
>  src/qemu/qemu_monitor.c                       |    9 +
>  src/qemu/qemu_monitor.h                       |    5 +
>  src/qemu/qemu_monitor_json.c                  |   52 +
>  src/qemu/qemu_monitor_json.h                  |    3 +
>  src/remote/remote_daemon_dispatch.c           |   43 +
>  src/remote/remote_driver.c                    |   40 +-
>  src/remote/remote_protocol.x                  |   21 +-
>  src/remote_protocol-structs                   |   12 +
>  src/util/Makefile.inc.am                      |    2 +
>  src/util/virmktme.c                           |  112 ++
>  src/util/virmktme.h                           |   33 +
>  .../bhyve_basic.x86_64.xml                    |    1 +
>  .../bhyve_fbuf.x86_64.xml                     |    1 +
>  .../bhyve_uefi.x86_64.xml                     |    1 +
>  tests/domaincapsschemadata/empty.xml          |    1 +
>  tests/domaincapsschemadata/libxl-xenfv.xml    |    1 +
>  tests/domaincapsschemadata/libxl-xenpv.xml    |    1 +
>  .../qemu_1.7.0.x86_64.xml                     |    1 +
>  .../qemu_2.12.0-virt.aarch64.xml              |    1 +
>  .../qemu_2.12.0.ppc64.xml                     |    1 +
>  .../qemu_2.12.0.s390x.xml                     |    1 +
>  .../qemu_2.12.0.x86_64.xml                    |    1 +
>  .../qemu_2.6.0-virt.aarch64.xml               |    1 +
>  .../qemu_2.6.0.aarch64.xml                    |    1 +
>  .../domaincapsschemadata/qemu_2.6.0.ppc64.xml |    1 +
>  .../qemu_2.6.0.x86_64.xml                     |    1 +
>  .../domaincapsschemadata/qemu_2.7.0.s390x.xml |    1 +
>  .../qemu_2.8.0-tcg.x86_64.xml                 |    1 +
>  .../domaincapsschemadata/qemu_2.8.0.s390x.xml |    1 +
>  .../qemu_2.8.0.x86_64.xml                     |    1 +
>  .../qemu_2.9.0-q35.x86_64.xml                 |    1 +
>  .../qemu_2.9.0-tcg.x86_64.xml                 |    1 +
>  .../qemu_2.9.0.x86_64.xml                     |    1 +
>  .../domaincapsschemadata/qemu_3.0.0.s390x.xml |    1 +
>  .../qemu_3.1.0.x86_64.xml                     |    1 +
>  .../qemu_4.0.0.x86_64.xml                     |    1 +
>  .../qemu_5.0.0.x86_64.xml                     |  164 ++
>  tests/domaincapstest.c                        |    4 +
>  .../caps_5.0.0.x86_64.xml                     | 1389 +++++++++++++++++

Please be advised that we will not accept everything stuffed into one
commit. Please split up this patch into logical units as it's usual
(look at other series) and also make sure that it's possible to compile
the tree including running make check and make syntax check after every
single commit.
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] x86: Multi-key Total Memory Encryption (Intel)

Posted by Carvalho, Larkins L 11 weeks ago
Hello Peter,

Thank you for the feedback.
I'll submit another patch series.

I have a question regarding the test cap replies file.
We are querying Qemu to get the capability information.
The Qemu patch is not yet upstream, hence, we are not able to create the replies file for the same.
Is it ok to submit the patch for the feedback without the replies file? 
Since the Qemu support for MKTME is not yet upstream and without Qemu support we cannot merge this changes to Libvirt.

Regards,
Larkins

-----Original Message-----
From: Peter Krempa [mailto:pkrempa@redhat.com]
Sent: Monday, May 6, 2019 1:39 AM
To: Carvalho, Larkins L <larkins.l.carvalho@intel.com>
Cc: libvir-list@redhat.com; Mohammed, Karimullah <karimullah.mohammed@intel.com>
Subject: Re: [libvirt] [PATCH] x86: Multi-key Total Memory Encryption (Intel)

On Wed, May 01, 2019 at 14:41:57 -0700, Larkins Carvalho wrote:
> From: llcarval <larkins.l.carvalho@intel.com>
> 
> Total Memory Encryption (TME) – provides the capability to encrypt the 
> entirety of the physical memory of a system. MKTME builds on TME and 
> adds support for multiple encryption keys.
> 
> High Level flow:
> 
> 1. Management tool calls virNodeGetMKTMEInfo. This returns an XML 
> document that includes the following
> 
> <feature>
> ...
>   <mktme supported='yes'>
>     <keys_supported> </keys_supported>
>   </mktme>
> </feature>
> 
> 2. Management tool requests to start a guest calling virCreateXML(). 
> The xml would include
> 
> <launchsecurity type='mktme'>
>   <id>m0</id>
>   <key_type>user</key_type>
>   <key>samplekey</key>
>   <encryption_algorithm>aes-xts-128</encryption_algorithm>
> </launchSecurity>
> 
> 3. Libvirt makes system call with the provided information to generate a key handle using linux keyring services.
> Qemu uses the key handle to launch the workload.
> 
> 4. Libvirt generate the QEMU cli arg to enable the MKTME feature, a 
> typical args looks like this:
> 
> -machine memory-encryption=m0 \
> -object mktme-guest,id=m0,handle=${serial}
> 
> Intel MKTME spec: 
> https://software.intel.com/sites/default/files/managed/a5/16/Multi-Key
> -Total-Memory-Encryption-Spec.pdf
> 
> WIP: Qemu and KVM patch to support Intel MKTME are in the process of development and community approval.
> 
> The purpose of this initial review is to get on par with libvirt development and the proposed Intel MKTME feature in libvirt.
> Considering we have not added tests, this is a preliminary patch and based on the community feedback, we expect more updates to follow.
> 
> TODO:
> Add tests for launch security of type mktme.
> Update domaincommon.rng to add attribute of type mktme.
> ---

>  docs/formatdomain.html.in                     |   62 +-
>  docs/formatdomaincaps.html.in                 |   18 +
>  docs/schemas/domaincaps.rng                   |   14 +
>  include/libvirt/libvirt-host.h                |   18 +
>  src/conf/domain_capabilities.c                |   29 +
>  src/conf/domain_capabilities.h                |   12 +
>  src/conf/domain_conf.c                        |  114 +-
>  src/conf/domain_conf.h                        |   13 +
>  src/conf/virconftypes.h                       |    3 +
>  src/driver-hypervisor.h                       |    7 +
>  src/libvirt-host.c                            |   48 +
>  src/libvirt_private.syms                      |    5 +
>  src/libvirt_public.syms                       |    5 +
>  src/qemu/qemu_capabilities.c                  |  130 +-
>  src/qemu/qemu_capabilities.h                  |    4 +
>  src/qemu/qemu_capspriv.h                      |    4 +
>  src/qemu/qemu_command.c                       |   40 +
>  src/qemu/qemu_driver.c                        |   63 +
>  src/qemu/qemu_monitor.c                       |    9 +
>  src/qemu/qemu_monitor.h                       |    5 +
>  src/qemu/qemu_monitor_json.c                  |   52 +
>  src/qemu/qemu_monitor_json.h                  |    3 +
>  src/remote/remote_daemon_dispatch.c           |   43 +
>  src/remote/remote_driver.c                    |   40 +-
>  src/remote/remote_protocol.x                  |   21 +-
>  src/remote_protocol-structs                   |   12 +
>  src/util/Makefile.inc.am                      |    2 +
>  src/util/virmktme.c                           |  112 ++
>  src/util/virmktme.h                           |   33 +
>  .../bhyve_basic.x86_64.xml                    |    1 +
>  .../bhyve_fbuf.x86_64.xml                     |    1 +
>  .../bhyve_uefi.x86_64.xml                     |    1 +
>  tests/domaincapsschemadata/empty.xml          |    1 +
>  tests/domaincapsschemadata/libxl-xenfv.xml    |    1 +
>  tests/domaincapsschemadata/libxl-xenpv.xml    |    1 +
>  .../qemu_1.7.0.x86_64.xml                     |    1 +
>  .../qemu_2.12.0-virt.aarch64.xml              |    1 +
>  .../qemu_2.12.0.ppc64.xml                     |    1 +
>  .../qemu_2.12.0.s390x.xml                     |    1 +
>  .../qemu_2.12.0.x86_64.xml                    |    1 +
>  .../qemu_2.6.0-virt.aarch64.xml               |    1 +
>  .../qemu_2.6.0.aarch64.xml                    |    1 +
>  .../domaincapsschemadata/qemu_2.6.0.ppc64.xml |    1 +
>  .../qemu_2.6.0.x86_64.xml                     |    1 +
>  .../domaincapsschemadata/qemu_2.7.0.s390x.xml |    1 +
>  .../qemu_2.8.0-tcg.x86_64.xml                 |    1 +
>  .../domaincapsschemadata/qemu_2.8.0.s390x.xml |    1 +
>  .../qemu_2.8.0.x86_64.xml                     |    1 +
>  .../qemu_2.9.0-q35.x86_64.xml                 |    1 +
>  .../qemu_2.9.0-tcg.x86_64.xml                 |    1 +
>  .../qemu_2.9.0.x86_64.xml                     |    1 +
>  .../domaincapsschemadata/qemu_3.0.0.s390x.xml |    1 +
>  .../qemu_3.1.0.x86_64.xml                     |    1 +
>  .../qemu_4.0.0.x86_64.xml                     |    1 +
>  .../qemu_5.0.0.x86_64.xml                     |  164 ++
>  tests/domaincapstest.c                        |    4 +
>  .../caps_5.0.0.x86_64.xml                     | 1389 +++++++++++++++++

Please be advised that we will not accept everything stuffed into one commit. Please split up this patch into logical units as it's usual (look at other series) and also make sure that it's possible to compile the tree including running make check and make syntax check after every single commit.

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] x86: Multi-key Total Memory Encryption (Intel)

Posted by Daniel P. Berrangé 11 weeks ago
On Mon, May 06, 2019 at 08:56:55PM +0000, Carvalho, Larkins L wrote:
> Hello Peter,
> 
> Thank you for the feedback.
> I'll submit another patch series.
> 
> I have a question regarding the test cap replies file.
> We are querying Qemu to get the capability information.
> The Qemu patch is not yet upstream, hence, we are not able to create
> the replies file for the same.

Either leave out the replies file, or just apply your MKTME patches to
upstream QEMU in your local checkout & generate replies file from that.
Then you can update the patch with new replies file once the QEMU
pieces finally merge.

> Is it ok to submit the patch for the feedback without the replies file? 
> Since the Qemu support for MKTME is not yet upstream and without Qemu
> support we cannot merge this changes to Libvirt.

Libvirt won't merge the patches until the corresponding QEMU piece is
merged, but we have happy to review patches at any time. Indeed it is
*good* to have libvirt patches reviewed before QEMU stuff is merged,
as that makes it easier if we spot things that can be improved in
QEMU for help libvirt.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list