diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 7b7cd4258b2411393a9fac6cc1570c00df52cd7b..e88cb8c45f4d6d5e0adafa81bf8b64941f769799 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -691,6 +691,22 @@ qemuTeardownChardevCgroup(virDomainObjPtr vm,
 }
 
 
+static int
+qemuSetupSEVCgroup(virDomainObjPtr vm)
+{
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+    int ret;
+
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
+    ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev",
+                                   VIR_CGROUP_DEVICE_RW, false);
+    virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev",
+                             "rw", ret);
+    return ret;
+}
+
 static int
 qemuSetupDevicesCgroup(virDomainObjPtr vm)
 {
@@ -798,6 +814,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm)
             goto cleanup;
     }
 
+    if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0)
+        goto cleanup;
+
     ret = 0;
  cleanup:
     virObjectUnref(cfg);