From nobody Thu Sep 19 01:22:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1718882918; cv=none;
	d=zohomail.com; s=zohoarc;
	b=QDwGrpeAqwj0FcDscOjDtrXSZRanhttprUu5xgId9BOLAkwsdo9um5WlmxUTCJmP0p2GyMLBAjMT3LYFbVftqsUSuHjgHPiq9GXweOueJA9w+eyoqAowBoUTK4vURt2eta++yQZA9h79CSf78Th8grlZFPje2/g1pY/wkZt1FbU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1718882918;
 h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To:Cc;
	bh=SujLOIV/RteQaEmsewZsrs+joHr7d8uxbIG3GGN55PA=;
	b=C1bX0V2fFqy/vE80gYrXS536Gy0utqc84P23kpBhjuO9BPhVTBANZyZ4GqZZHCQvfAb/Ao9uCcUoKuqp2g4t0kYmTEPdBncXmegRy9YjAH5PT3j5r7n6TqHnH318Kw2FCGhYObt+VmqPBT2zD5q60YK3ayuz/JcxmzrCYNPqtNY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1718882918542790.723079559588;
 Thu, 20 Jun 2024 04:28:38 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 61B74BD0; Thu, 20 Jun 2024 07:28:37 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 4E14611AE;
	Thu, 20 Jun 2024 07:23:30 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 910E3C91; Thu, 20 Jun 2024 07:23:20 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 437C2121E
	for <devel@lists.libvirt.org>; Thu, 20 Jun 2024 07:23:06 -0400 (EDT)
Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-222-HrZasJpYMg2TBYhDfGK0jA-1; Thu,
 20 Jun 2024 07:23:04 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 8F0DC19560BA
	for <devel@lists.libvirt.org>; Thu, 20 Jun 2024 11:23:03 +0000 (UTC)
Received: from maggie.brq.redhat.com (unknown [10.43.3.102])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP
 id 9138B19560AE
	for <devel@lists.libvirt.org>; Thu, 20 Jun 2024 11:23:02 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: **
X-Spam-Status: No, score=2.5 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,
	RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1718882585;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=SujLOIV/RteQaEmsewZsrs+joHr7d8uxbIG3GGN55PA=;
	b=FSmq8incimbdjGtOu1ypW3wRCZBJWBMBChOLtOF/KdsQs3Vh10O2CiPDAygRRvxfZCsLn/
	kQYpzKUvVRL73IJBFVLWhgvHFlU+XjMi2Ry28U7yg3Kpvb3NbEYeAWmF3fJhhf9BeRazVm
	Y4OU8HolqVGK/M43XWHUSBKBKvUlrFM=
X-MC-Unique: HrZasJpYMg2TBYhDfGK0jA-1
From: Michal Privoznik <mprivozn@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH 09/12] conf: Introduce SEV-SNP support
Date: Thu, 20 Jun 2024 13:22:46 +0200
Message-ID: 
 <7906bd82e291d4b3031b31a3d59e6cd91bb6b15c.1718882351.git.mprivozn@redhat.com>
In-Reply-To: <cover.1718882351.git.mprivozn@redhat.com>
References: <cover.1718882351.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 3VTPRGSLIJC7APLG6XVYKU3IS42BOBXT
X-Message-ID-Hash: 3VTPRGSLIJC7APLG6XVYKU3IS42BOBXT
X-MailFrom: mprivozn@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/3VTPRGSLIJC7APLG6XVYKU3IS42BOBXT/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1718882920035100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

SEV-SNP is an enhancement of SEV/SEV-ES and thus it shares some
fields with it. Nevertheless, on XML level, it's yet another type
of <launchSecurity/>.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 docs/formatdomain.rst                         | 108 ++++++++++++++++++
 src/conf/domain_conf.c                        |  73 ++++++++++++
 src/conf/domain_conf.h                        |  15 +++
 src/conf/domain_validate.c                    |  44 +++++++
 src/conf/schemas/domaincommon.rng             |  49 ++++++++
 src/conf/virconftypes.h                       |   2 +
 src/qemu/qemu_cgroup.c                        |   1 +
 src/qemu/qemu_command.c                       |   4 +
 src/qemu/qemu_driver.c                        |   1 +
 src/qemu/qemu_firmware.c                      |   3 +
 src/qemu/qemu_namespace.c                     |   1 +
 src/qemu/qemu_process.c                       |   3 +
 src/qemu/qemu_validate.c                      |   9 ++
 src/security/security_dac.c                   |   2 +
 ...launch-security-sev-snp.x86_64-latest.args |  34 ++++++
 .../launch-security-sev-snp.x86_64-latest.xml |   1 +
 .../launch-security-sev-snp.xml               |  47 ++++++++
 tests/qemuxmlconftest.c                       |   2 +
 18 files changed, 399 insertions(+)
 create mode 100644 tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-la=
test.args
 create mode 120000 tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-la=
test.xml
 create mode 100644 tests/qemuxmlconfdata/launch-security-sev-snp.xml

diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 00f861e385..5c09b87d2b 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -8867,6 +8867,114 @@ spec <https://support.amd.com/TechDocs/55766_SEV-KM=
_API_Specification.pdf>`__
    session blob defined in the SEV API spec. See SEV spec LAUNCH_START sec=
tion
    for the session blob format.
=20
+
+Some modern AMD processors support Secure Encrypted Virtualization with Se=
cure
+Nested Paging enhancement, also known as SEV-SNP. :since:`Since 10.5.0` To
+enable it ``<launchSecurity type=3D'sev-snp'>`` should be used. It shares =
some
+attributes and elements with ``type=3D'sev'`` but differs in others. Examp=
le configuration:
+
+::
+
+  <domain>
+    ...
+    <launchSecurity type=3D'sev-snp' authorKey=3D'yes' vcek=3D'no'>
+      <cbitpos>47</cbitpos>
+      <reducedPhysBits>1</reducedPhysBits>
+      <policy>0x00030000</policy>
+      <guestVisibleWorkarounds>...</guestVisibleWorkarounds>
+      <idBlock>...</idBlock>
+      <idAuth>...</idAuth>
+      <hostData>.../hostData>
+    </launchSecurity>
+    ...
+  </domain>
+
+The ``<launchSecurity/>`` element accepts the following attributes:
+
+``kernelHashes``
+   The optional ``kernelHashes`` attribute indicates whether the
+   hashes of the kernel, ramdisk and command line should be included
+   in the measurement done by the firmware. This is only valid if
+   using direct kernel boot.
+
+``authorKey``
+   The optional ``authorKey`` attribute indicates whether ``<idAuth/>`` el=
ement
+   contains the 'AUTHOR_KEY' field defined SEV-SNP firmware ABI.
+
+``vcek``
+   The optional ``vcek`` attribute indicates whether the guest is allowed =
to
+   chose between VLEK (Versioned Loaded Endorsement Key) or VCEK (Versioned
+   Chip Endorsement Key)  when requesting attestation reports from firmwar=
e.
+   Set this to ``no`` to disable the use of VCEK.
+
+Aforementioned SEV-SNP firmware ABI can be found here:
+`<https://www.amd.com/system/files/TechDocs/56860.pdf>`__
+
+The ``<launchSecurity/>`` element then accepts the following child element=
s:
+
+``cbitpos``
+   The required ``cbitpos`` element provides the C-bit (aka encryption bit)
+   location in guest page table entry. The value of ``cbitpos`` is hypervi=
sor
+   dependent and can be obtained through the ``sev`` element from the doma=
in
+   capabilities.
+``reducedPhysBits``
+   The required ``reducedPhysBits`` element provides the physical address =
bit
+   reduction. Similar to ``cbitpos`` the value of ``reduced-phys-bit`` is
+   hypervisor dependent and can be obtained through the ``sev`` element fr=
om the
+   domain capabilities.
+``policy``
+   The required ``policy`` element provides the guest policy which must be
+   maintained by the SEV-SNP firmware. This policy is enforced by the firm=
ware
+   and restricts what configuration and operational commands can be perfor=
med
+   on this guest by the hypervisor. The guest policy provided during guest
+   launch is bound to the guest and cannot be changed throughout the lifet=
ime
+   of the guest. The policy is also transmitted during snapshot and migrat=
ion
+   flows and enforced on the destination platform. The guest policy is a 6=
4bit
+   unsigned number with the fields shown in table (See section `4.3 Guest
+   Policy` in aforementioned firmware ABI specification):
+
+   =3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+   Bit(s) Description
+   =3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+   63:25  Reserved. Must be zero.
+   24     Ciphertext hiding must be enabled when set, otherwise may be ena=
bled or disabled.
+   23     Running Average Power Limit (RAPL) must be disabled when set.
+   22     Require AES 256 XTS for memory encryption when set, otherwise AE=
S 128 XEX may be allowed.
+   21     CXL can be populated with devices or memory when set.
+   20     Guest can be activated only on one socket when set.
+   19     Debugging is allowed when set.
+   18     Association with a migration agent is allowed when set.
+   17     Reserved. Must be set.
+   16     SMT is allowed.
+   15:8   The minimum ABI major version required for this guest to run.
+   7:0    The minimum ABI minor version required for this guest to run.
+   =3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+
+   The default value is hypervisor dependant and QEMU defaults to value 0x=
30000
+   meaning no minimum ABI major/minor version is required and SMT is allow=
ed.
+
+``guestVisibleWorkarounds``
+   The optional ``guestVisibleWorkarounds`` element is a 16-byte,
+   base64-encoded blob to report hypervisor-defined workarounds, correspon=
ding
+   to the 'GOSVW' parameter of the SNP_LAUNCH_START command defined in the
+   SEV-SNP firmware ABI.
+
+``idBlock``
+   The optional ``idBlock`` element is a 96-byte, base64-encoded blob to
+   provide the 'ID Block' structure for the SNP_LAUNCH_FINISH command defi=
ned
+   in the SEV-SNP firmware ABI.
+
+``idAuth``
+   The optional ``idAuth`` element is a 4096-byte, base64-encoded blob to
+   provide the 'ID Authentication Information Structure' for the
+   SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI.
+
+``hostData``
+   The optional ``hostData`` element is a 32-byte, base64-encoded, user-de=
fined
+   blob to provide to the guest, as documented for the 'HOST_DATA' paramet=
er of
+   the SNP_LAUNCH_FINISH command in the SEV-SNP firmware ABI.
+
+
 Example configs
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=20
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 102a011be8..cb1154b23f 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1509,6 +1509,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
               VIR_DOMAIN_LAUNCH_SECURITY_LAST,
               "",
               "sev",
+              "sev-snp",
               "s390-pv",
 );
=20
@@ -3835,6 +3836,12 @@ virDomainSecDefFree(virDomainSecDef *def)
         g_free(def->data.sev.dh_cert);
         g_free(def->data.sev.session);
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+        g_free(def->data.sev_snp.guest_visible_workarounds);
+        g_free(def->data.sev_snp.id_block);
+        g_free(def->data.sev_snp.id_auth);
+        g_free(def->data.sev_snp.host_data);
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
     case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
@@ -13676,6 +13683,36 @@ virDomainSEVDefParseXML(virDomainSEVDef *def,
 }
=20
=20
+static int
+virDomainSEVSNPDefParseXML(virDomainSEVSNPDef *def,
+                           xmlXPathContextPtr ctxt)
+{
+    if (virDomainSEVCommonDefParseXML(&def->common, ctxt) < 0)
+        return -1;
+
+    if (virXMLPropTristateBool(ctxt->node, "authorKey", VIR_XML_PROP_NONE,
+                               &def->author_key) < 0)
+        return -1;
+
+    if (virXMLPropTristateBool(ctxt->node, "vcek", VIR_XML_PROP_NONE,
+                               &def->vcek) < 0)
+        return -1;
+
+    if (virXPathULongLongBase("string(./policy)", ctxt, 16, &def->policy) =
< 0) {
+        virReportError(VIR_ERR_XML_ERROR, "%s",
+                       _("failed to get launch security policy"));
+        return -1;
+    }
+
+    def->guest_visible_workarounds =3D virXPathString("string(./guestVisib=
leWorkarounds)", ctxt);
+    def->id_block =3D virXPathString("string(./idBlock)", ctxt);
+    def->id_auth =3D virXPathString("string(./idAuth)", ctxt);
+    def->host_data =3D virXPathString("string(./hostData)", ctxt);
+
+    return 0;
+}
+
+
 static virDomainSecDef *
 virDomainSecDefParseXML(xmlNodePtr lsecNode,
                         xmlXPathContextPtr ctxt)
@@ -13695,6 +13732,10 @@ virDomainSecDefParseXML(xmlNodePtr lsecNode,
         if (virDomainSEVDefParseXML(&sec->data.sev, ctxt) < 0)
             return NULL;
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+        if (virDomainSEVSNPDefParseXML(&sec->data.sev_snp, ctxt) < 0)
+            return NULL;
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         break;
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
@@ -26683,6 +26724,34 @@ virDomainSEVDefFormat(virBuffer *attrBuf,
 }
=20
=20
+static void
+virDomainSEVSNPDefFormat(virBuffer *attrBuf,
+                         virBuffer *childBuf,
+                         virDomainSEVSNPDef *def)
+{
+    virDomainSEVCommonDefFormat(attrBuf, childBuf, &def->common);
+
+    if (def->author_key !=3D VIR_TRISTATE_BOOL_ABSENT) {
+        virBufferAsprintf(attrBuf, " authorKey=3D'%s'",
+                          virTristateBoolTypeToString(def->author_key));
+    }
+
+    if (def->vcek !=3D VIR_TRISTATE_BOOL_ABSENT) {
+        virBufferAsprintf(attrBuf, " vcek=3D'%s'",
+                          virTristateBoolTypeToString(def->vcek));
+    }
+
+    virBufferAsprintf(childBuf, "<policy>0x%08llx</policy>\n", def->policy=
);
+
+    virBufferEscapeString(childBuf,
+                          "<guestVisibleWorkarounds>%s</guestVisibleWorkar=
ounds>\n",
+                          def->guest_visible_workarounds);
+    virBufferEscapeString(childBuf, "<idBlock>%s</idBlock>\n", def->id_blo=
ck);
+    virBufferEscapeString(childBuf, "<idAuth>%s</idAuth>\n", def->id_auth);
+    virBufferEscapeString(childBuf, "<hostData>%s</hostData>\n", def->host=
_data);
+}
+
+
 static void
 virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
 {
@@ -26700,6 +26769,10 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSec=
Def *sec)
         virDomainSEVDefFormat(&attrBuf, &childBuf, &sec->data.sev);
         break;
=20
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+        virDomainSEVSNPDefFormat(&attrBuf, &childBuf, &sec->data.sev_snp);
+        break;
+
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         break;
=20
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index c6c3c2e2a5..2818a9f1f5 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2860,6 +2860,7 @@ struct _virDomainKeyWrapDef {
 typedef enum {
     VIR_DOMAIN_LAUNCH_SECURITY_NONE,
     VIR_DOMAIN_LAUNCH_SECURITY_SEV,
+    VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP,
     VIR_DOMAIN_LAUNCH_SECURITY_PV,
=20
     VIR_DOMAIN_LAUNCH_SECURITY_LAST,
@@ -2882,10 +2883,24 @@ struct _virDomainSEVDef {
     unsigned int policy;
 };
=20
+
+struct _virDomainSEVSNPDef {
+    virDomainSEVCommonDef common;
+    unsigned long long policy;
+    char *guest_visible_workarounds;
+    char *id_block;
+    char *id_auth;
+    char *host_data;
+    virTristateBool author_key;
+    virTristateBool vcek;
+};
+
+
 struct _virDomainSecDef {
     virDomainLaunchSecurity sectype;
     union {
         virDomainSEVDef sev;
+        virDomainSEVSNPDef sev_snp;
     } data;
 };
=20
diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c
index 395e036e8f..0661caef68 100644
--- a/src/conf/domain_validate.c
+++ b/src/conf/domain_validate.c
@@ -1800,6 +1800,47 @@ virDomainDefValidateIOThreads(const virDomainDef *de=
f)
 }
=20
=20
+#define CHECK_BASE64_LEN(val, elemName, exp_len) \
+{ \
+    size_t len; \
+    g_autofree unsigned char *tmp =3D NULL; \
+    if (val && (tmp =3D g_base64_decode(val, &len)) && len !=3D exp_len) {=
 \
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, \
+                       _("Unexpected length of '%1$s', expected %2$u got %=
3$zu"), \
+                        elemName, exp_len, len); \
+        return -1; \
+    } \
+}
+
+static int
+virDomainDefLaunchSecurityValidate(const virDomainDef *def)
+{
+    virDomainSEVSNPDef *sev_snp;
+
+    if (!def->sec)
+        return 0;
+
+    switch (def->sec->sectype) {
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+        sev_snp =3D &def->sec->data.sev_snp;
+
+        CHECK_BASE64_LEN(sev_snp->guest_visible_workarounds, "guestVisible=
Workarounds", 16);
+        CHECK_BASE64_LEN(sev_snp->id_block, "idBlock", 96);
+        CHECK_BASE64_LEN(sev_snp->id_auth, "idAuth", 4096);
+        CHECK_BASE64_LEN(sev_snp->host_data, "hostData", 32);
+        break;
+
+    case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+    case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+    }
+
+    return 0;
+}
+
+#undef CHECK_BASE64_LEN
+
 static int
 virDomainDefValidateInternal(const virDomainDef *def,
                              virDomainXMLOption *xmlopt)
@@ -1855,6 +1896,9 @@ virDomainDefValidateInternal(const virDomainDef *def,
     if (virDomainDefValidateIOThreads(def) < 0)
         return -1;
=20
+    if (virDomainDefLaunchSecurityValidate(def) < 0)
+        return -1;
+
     return 0;
 }
=20
diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincom=
mon.rng
index 9a7649df1c..844a931deb 100644
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -515,6 +515,9 @@
         <group>
           <ref name=3D"launchSecuritySEV"/>
         </group>
+        <group>
+          <ref name=3D"launchSecuritySEVSNP"/>
+        </group>
         <group>
           <attribute name=3D"type">
             <value>s390-pv</value>
@@ -569,6 +572,52 @@
     </interleave>
   </define>
=20
+  <define name=3D"launchSecuritySEVSNP">
+    <attribute name=3D"type">
+      <value>sev-snp</value>
+    </attribute>
+    <optional>
+      <attribute name=3D"kernelHashes">
+        <ref name=3D"virYesNo"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name=3D"authorKey">
+        <ref name=3D"virYesNo"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name=3D"vcek">
+        <ref name=3D"virYesNo"/>
+      </attribute>
+    </optional>
+    <interleave>
+      <ref name=3D"launchSecuritySEVCommon"/>
+      <element name=3D"policy">
+        <ref name=3D"hexuint"/>
+      </element>
+      <optional>
+        <element name=3D"guestVisibleWorkarounds">
+          <data type=3D"string"/>
+        </element>
+      </optional>
+      <optional>
+        <element name=3D"idBlock">
+          <data type=3D"string"/>
+        </element>
+      </optional>
+      <optional>
+        <element name=3D"idAuth">
+          <data type=3D"string"/>
+        </element>
+      </optional>
+      <optional>
+        <element name=3D"hostData">
+          <data type=3D"string"/>
+        </element>
+      </optional>
+    </interleave>
+  </define>
   <!--
       Enable or disable perf events for the domain. For each
       of the events the following rules apply:
diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h
index 34bb1e262f..d8e7c5278c 100644
--- a/src/conf/virconftypes.h
+++ b/src/conf/virconftypes.h
@@ -214,6 +214,8 @@ typedef struct _virDomainSEVCommonDef virDomainSEVCommo=
nDef;
=20
 typedef struct _virDomainSEVDef virDomainSEVDef;
=20
+typedef struct _virDomainSEVSNPDef virDomainSEVSNPDef;
+
 typedef struct _virDomainSecDef virDomainSecDef;
=20
 typedef struct _virDomainShmemDef virDomainShmemDef;
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 9e559c7c4f..23b7e6b4e8 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -848,6 +848,7 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
     if (vm->def->sec) {
         switch (vm->def->sec->sectype) {
         case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
             if (qemuSetupSEVCgroup(vm) < 0)
                 return -1;
             break;
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 1879fa608c..8d83417bb6 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7062,6 +7062,8 @@ qemuBuildMachineCommandLine(virCommand *cmd,
                 virBufferAddLit(&buf, ",memory-encryption=3Dlsec0");
             }
             break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
             virBufferAddLit(&buf, ",confidential-guest-support=3Dlsec0");
             break;
@@ -9781,6 +9783,8 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand =
*cmd,
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
         return qemuBuildSEVCommandLine(vm, cmd, &sec->data.sev);
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         return qemuBuildPVCommandLine(vm, cmd);
         break;
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 1a71857147..fc1704f4fc 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -19128,6 +19128,7 @@ qemuDomainGetLaunchSecurityInfo(virDomainPtr domain,
=20
     switch (vm->def->sec->sectype) {
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
         if (qemuDomainGetSEVInfo(vm, params, nparams, flags) < 0)
             goto cleanup;
         break;
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 8946dc1aa5..262eeecc5c 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -1338,6 +1338,9 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
                 return false;
             }
             break;
+
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
             break;
         case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index fb7c9329dd..bbe3d5a1f7 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -653,6 +653,7 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
=20
     switch (sec->sectype) {
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
         VIR_DEBUG("Setting up launch security for SEV");
=20
         *paths =3D g_slist_prepend(*paths, g_strdup(QEMU_DEV_SEV));
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index d14975180a..b9b6ccf1de 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6744,6 +6744,7 @@ qemuProcessPrepareDomain(virQEMUDriver *driver,
     if (vm->def->sec) {
         switch (vm->def->sec->sectype) {
         case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
             VIR_DEBUG("Updating SEV platform info");
             if (qemuProcessUpdateSEVInfo(vm) < 0)
                 return -1;
@@ -6818,6 +6819,8 @@ qemuProcessPrepareLaunchSecurityGuestInput(virDomainO=
bj *vm)
     switch (sec->sectype) {
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
         return qemuProcessPrepareSEVGuestInput(vm);
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         return 0;
     case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index 05ee477456..3cfcceafc9 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1325,6 +1325,15 @@ qemuValidateDomainDef(const virDomainDef *def,
                 return -1;
             }
             break;
+
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+            if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_SNP_GUEST)) {
+                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                               _("SEV SNP launch security is not supported=
 with this QEMU binary"));
+                return -1;
+            }
+            break;
+
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
             if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GU=
EST_SUPPORT) ||
                 !virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST)) {
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index d0864313c1..1a3b51a298 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1954,6 +1954,7 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
     if (def->sec) {
         switch (def->sec->sectype) {
         case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
             if (virSecurityDACRestoreSEVLabel(mgr, def) < 0)
                 rc =3D -1;
             break;
@@ -2187,6 +2188,7 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
     if (def->sec) {
         switch (def->sec->sectype) {
         case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
             if (virSecurityDACSetSEVLabel(mgr, def) < 0)
                 return -1;
             break;
diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.ar=
gs b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args
new file mode 100644
index 0000000000..37ac58edb8
--- /dev/null
+++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.args
@@ -0,0 +1,34 @@
+LC_ALL=3DC \
+PATH=3D/bin \
+HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGuest1 \
+USER=3Dtest \
+LOGNAME=3Dtest \
+XDG_DATA_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.local/share \
+XDG_CACHE_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.cache \
+XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=3DQEMUGuest1,debug-threads=3Don \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/va=
r/lib/libvirt/qemu/domain--1-QEMUGuest1/master-key.aes"}' \
+-machine pc,usb=3Doff,dump-guest-core=3Doff,memory-backend=3Dpc.ram,acpi=
=3Doff \
+-accel kvm \
+-cpu qemu64 \
+-m size=3D219136k \
+-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":224395264}'=
 \
+-overcommit mem-lock=3Doff \
+-smp 1,sockets=3D1,cores=3D1,threads=3D1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=3Dcharmonitor,fd=3D1729,server=3Don,wait=3Doff \
+-mon chardev=3Dcharmonitor,id=3Dmonitor,mode=3Dcontrol \
+-rtc base=3Dutc \
+-no-shutdown \
+-boot strict=3Don \
+-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0=
x2"}' \
+-blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1","no=
de-name":"libvirt-1-storage","read-only":false}' \
+-device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-stor=
age","id":"ide0-0-0","bootindex":1}' \
+-audiodev '{"id":"audio1","driver":"none"}' \
+-sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource=
control=3Ddeny \
+-msg timestamp=3Don
diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xm=
l b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml
new file mode 120000
index 0000000000..0159cc057b
--- /dev/null
+++ b/tests/qemuxmlconfdata/launch-security-sev-snp.x86_64-latest.xml
@@ -0,0 +1 @@
+launch-security-sev-snp.xml
\ No newline at end of file
diff --git a/tests/qemuxmlconfdata/launch-security-sev-snp.xml b/tests/qemu=
xmlconfdata/launch-security-sev-snp.xml
new file mode 100644
index 0000000000..b277d7de1b
--- /dev/null
+++ b/tests/qemuxmlconfdata/launch-security-sev-snp.xml
@@ -0,0 +1,47 @@
+<domain type=3D'kvm'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit=3D'KiB'>219100</memory>
+  <currentMemory unit=3D'KiB'>219100</currentMemory>
+  <vcpu placement=3D'static'>1</vcpu>
+  <os>
+    <type arch=3D'x86_64' machine=3D'pc'>hvm</type>
+    <boot dev=3D'hd'/>
+  </os>
+  <cpu mode=3D'custom' match=3D'exact' check=3D'none'>
+    <model fallback=3D'forbid'>qemu64</model>
+  </cpu>
+  <clock offset=3D'utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type=3D'block' device=3D'disk'>
+      <driver name=3D'qemu' type=3D'raw'/>
+      <source dev=3D'/dev/HostVG/QEMUGuest1'/>
+      <target dev=3D'hda' bus=3D'ide'/>
+      <address type=3D'drive' controller=3D'0' bus=3D'0' target=3D'0' unit=
=3D'0'/>
+    </disk>
+    <controller type=3D'usb' index=3D'0' model=3D'piix3-uhci'>
+      <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x01' f=
unction=3D'0x2'/>
+    </controller>
+    <controller type=3D'ide' index=3D'0'>
+      <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x01' f=
unction=3D'0x1'/>
+    </controller>
+    <controller type=3D'pci' index=3D'0' model=3D'pci-root'/>
+    <input type=3D'mouse' bus=3D'ps2'/>
+    <input type=3D'keyboard' bus=3D'ps2'/>
+    <audio id=3D'1' type=3D'none'/>
+    <memballoon model=3D'none'/>
+  </devices>
+  <launchSecurity type=3D'sev-snp' authorKey=3D'yes' vcek=3D'no'>
+    <cbitpos>47</cbitpos>
+    <reducedPhysBits>1</reducedPhysBits>
+    <policy>0x00030000</policy>
+    <guestVisibleWorkarounds>bGlidmlydGxpYnZpcnRsaQ=3D=3D</guestVisibleWor=
karounds>
+    <idBlock>bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlid=
mlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZp</idBloc=
k>
+    <idAuth>bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidm=
lydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2a=
XJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZp=
cnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidml=
ydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aX=
J0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpc=
nRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmly=
dGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ=
0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcn=
RsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlyd=
GxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0=
bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnR=
saWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydG=
xpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0b=
GlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRs=
aWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGx=
pYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bG=
lidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsa=
WJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxp=
YnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGl=
idmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaW=
J2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpY=
nZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGli=
dmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ=
2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYn=
ZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlid=
mlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2=
aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZ=
pcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidm=
lydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2a=
XJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZp=
cnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidml=
ydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aX=
J0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpc=
nRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmly=
dGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ=
0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcn=
RsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlyd=
GxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0=
bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnR=
saWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydG=
xpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0b=
GlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRs=
aWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGx=
pYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bG=
lidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsa=
WJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxp=
YnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGl=
idmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaW=
J2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpY=
nZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGli=
dmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ=
2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYn=
ZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlid=
mlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2=
aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZ=
pcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidm=
lydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2a=
XJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZp=
cnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidml=
ydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aX=
J0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpc=
nRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmly=
dGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ=
0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcn=
RsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlyd=
GxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0=
bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnR=
saWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydG=
xpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0b=
GlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRs=
aWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGx=
pYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnZpcnRsaWJ2aXJ0bA=
=3D=3D</idAuth>
+    <hostData>bGlidmlydGxpYnZpcnRsaWJ2aXJ0bGlidmlydGxpYnY=3D</hostData>
+  </launchSecurity>
+</domain>
diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c
index 5700ea314f..6733e73479 100644
--- a/tests/qemuxmlconftest.c
+++ b/tests/qemuxmlconftest.c
@@ -2849,6 +2849,8 @@ mymain(void)
                                   QEMU_CAPS_SEV_GUEST,
                                   QEMU_CAPS_LAST);
=20
+    DO_TEST_CAPS_ARCH_LATEST("launch-security-sev-snp", "x86_64");
+
     DO_TEST_CAPS_ARCH_LATEST("launch-security-s390-pv", "s390x");
=20
     DO_TEST_CAPS_LATEST("vhost-user-fs-fd-memory");
--=20
2.44.2