diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 6912762f28f93e3da73c0ffc1aa0bb4ffb31b9e9..77845fe5f7bc4b5254571d824a4fde19196e6730 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -8458,6 +8458,121 @@ qemu-kvm -net nic,model=? /dev/null
 
     <p>Note: DEA/TDEA is synonymous with DES/TDES.</p>
 
+    <h3><a id="sev">Secure Encrypted Virtualization (SEV)</a></h3>
+
+    <p>
+       The contents of the <code>&lt;launch-security type='sev'&gt;</code> element
+       is used to provide the guest owners input used for creating an encrypted
+       VM using the AMD SEV feature.
+
+       SEV is an extension to the AMD-V architecture which supports running
+       encrypted virtual machine (VMs) under the control of KVM. Encrypted
+       VMs have their pages (code and data) secured such that only the guest
+       itself has access to the unencrypted version. Each encrypted VM is
+       associated with a unique encryption key; if its data is accessed to a
+       different entity using a different key the encrypted guests data will
+       be incorrectly decrypted, leading to unintelligible data.
+
+       For more information see various input parameters and its format see the SEV API spec
+       <a href="https://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf"> https://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf </a>
+       <span class="since">Since 4.4.0</span>
+       </p>
+    <pre>
+&lt;domain&gt;
+  ...
+  &lt;launch-security type='sev'&gt;
+    &lt;policy&gt; 0x0001 &lt;/policy&gt;
+    &lt;cbitpos&gt; 47 &lt;/cbitpos&gt;
+    &lt;reduced-phys-bits&gt; 1 &lt;/reduced-phys-bits&gt;
+    &lt;session&gt; AAACCCDD=FFFCCCDSDS &lt;/session&gt;
+    &lt;dh-cert&gt; RBBBSDDD=FDDCCCDDDG &lt;/dh&gt;
+  &lt;/sev&gt;
+  ...
+&lt;/domain&gt;
+</pre>
+
+    <dl>
+      <dt><code>cbitpos</code></dt>
+      <dd>The required <code>cbitpos</code> element provides the C-bit (aka encryption bit)
+      location in guest page table entry. The value of <code>cbitpos</code> is
+      hypervisor dependent and can be obtained through the <code>sev</code> element
+      from the domain capabilities.
+      </dd>
+      <dt><code>reduced-phys-bits</code></dt>
+      <dd>The required <code>reduced-phys-bits</code> element provides the physical
+      address bit reducation. Similar to <code>cbitpos</code> the value of <code>
+      reduced-phys-bit</code> is hypervisor dependent and can be obtained
+      through the <code>sev</code> element from the domain capabilities.
+      </dd>
+      <dt><code>policy</code></dt>
+      <dd>The required <code>policy</code> element provides the guest policy
+      which must be maintained by the SEV firmware. This policy is enforced by
+      the firmware and restricts what configuration and operational commands
+      can be performed on this guest by the hypervisor. The guest policy
+      provided during guest launch is bound to the guest and cannot be changed
+      throughout the lifetime of the guest. The policy is also transmitted
+      during snapshot and migration flows and enforced on the destination platform.
+
+      The guest policy is a 4 unsigned byte with the fields shown in Table:
+
+      <table class="top_table">
+        <tr>
+          <th> Bit(s) </th>
+          <th> Description </th>
+        </tr>
+        <tr>
+          <td> 0 </td>
+          <td> Debugging of the guest is disallowed when set </td>
+        </tr>
+        <tr>
+          <td> 1 </td>
+          <td> Sharing keys with other guests is disallowed when set </td>
+        </tr>
+        <tr>
+          <td> 2 </td>
+          <td> SEV-ES is required when set</td>
+        </tr>
+        <tr>
+          <td> 3 </td>
+          <td> Sending the guest to another platform is disallowed when set</td>
+        </tr>
+        <tr>
+          <td> 4 </td>
+          <td> The guest must not be transmitted to another platform that is
+               not in the domain when set. </td>
+        </tr>
+        <tr>
+          <td> 5 </td>
+          <td> The guest must not be transmitted to another platform that is
+               not SEV capable when set. </td>
+        </tr>
+        <tr>
+          <td> 6:15 </td>
+          <td> reserved </td>
+        </tr>
+        <tr>
+          <td> 16:32 </td>
+          <td> The guest must not be transmitted to another platform with a
+               lower firmware version. </td>
+        </tr>
+      </table>
+
+      </dd>
+      <dt><code>dh-cert</code></dt>
+      <dd>The optional <code>dh-cert</code> element provides the guest owners
+      base64 encoded Diffie-Hellman (DH) key. The key is used to negotiate a
+      master secret key between the SEV firmware and guest owner. This master
+      secret key is then used to establish a trusted channel between SEV
+      firmware and guest owner.
+      </dd>
+      <dt><code>session</code></dt>
+      <dd>The optional <code>session</code> element provides the guest owners
+      base64 encoded session blob defined in the SEV API spec.
+
+      See SEV spec LAUNCH_START section for the session blob format.
+      </dd>
+    </dl>
+
     <h2><a id="examples">Example configs</a></h2>
 
     <p>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 550fb10159e50883003885cbb92c863ee10043a6..1d06a5ea897bfdb76238fe60e520ec4753433880 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -77,6 +77,9 @@
         <optional>
           <ref name='keywrap'/>
         </optional>
+        <optional>
+          <ref name='launch-security'/>
+        </optional>
       </interleave>
     </element>
   </define>
@@ -436,6 +439,40 @@
     </element>
   </define>
 
+  <define name="launch-security">
+    <element name="launch-security">
+      <attribute name="type">
+        <value>sev</value>
+      </attribute>
+      <interleave>
+        <element name="cbitpos">
+          <data type='unsignedInt'/>
+        </element>
+        <element name="reduced-phys-bits">
+          <data type='unsignedInt'/>
+        </element>
+        <element name="policy">
+          <ref name='hexuint'/>
+        </element>
+        <optional>
+          <element name="handle">
+            <ref name='unsignedInt'/>
+          </element>
+        </optional>
+        <optional>
+          <element name="dh-cert">
+            <data type="string"/>
+          </element>
+        </optional>
+        <optional>
+          <element name="session">
+            <data type="string"/>
+          </element>
+        </optional>
+      </interleave>
+    </element>
+  </define>
+
   <!--
       Enable or disable perf events for the domain. For each
       of the events the following rules apply:
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 1157c7dd9305ec1f79eeeef4e9e85a373f28d55e..6fc6c573d1f7e19c9d5354d10bdd97d89ba90bb4 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -944,6 +944,10 @@ VIR_ENUM_IMPL(virDomainShmemModel, VIR_DOMAIN_SHMEM_MODEL_LAST,
               "ivshmem-plain",
               "ivshmem-doorbell")
 
+VIR_ENUM_IMPL(virDomainLaunchSecurity, VIR_DOMAIN_LAUNCH_SECURITY_LAST,
+              "",
+              "sev")
+
 static virClassPtr virDomainObjClass;
 static virClassPtr virDomainXMLOptionClass;
 static void virDomainObjDispose(void *obj);
@@ -2957,6 +2961,19 @@ virDomainCachetuneDefFree(virDomainCachetuneDefPtr cachetune)
 }
 
 
+static void
+virDomainSEVDefFree(virDomainSevDefPtr def)
+{
+    if (!def)
+        return;
+
+    VIR_FREE(def->dh_cert);
+    VIR_FREE(def->session);
+
+    VIR_FREE(def);
+}
+
+
 void virDomainDefFree(virDomainDefPtr def)
 {
     size_t i;
@@ -3139,6 +3156,8 @@ void virDomainDefFree(virDomainDefPtr def)
     if (def->namespaceData && def->ns.free)
         (def->ns.free)(def->namespaceData);
 
+    virDomainSEVDefFree(def->sev);
+
     xmlFreeNode(def->metadata);
 
     VIR_FREE(def);
@@ -15826,6 +15845,85 @@ virDomainMemoryTargetDefParseXML(xmlNodePtr node,
 }
 
 
+static virDomainSevDefPtr
+virDomainSEVDefParseXML(xmlNodePtr sevNode,
+                        xmlXPathContextPtr ctxt)
+{
+    char *tmp = NULL;
+    char *type = NULL;
+    xmlNodePtr save = ctxt->node;
+    virDomainSevDefPtr def;
+    unsigned long policy;
+
+    ctxt->node = sevNode;
+
+    if (VIR_ALLOC(def) < 0)
+        return NULL;
+
+    if (!(type = virXMLPropString(sevNode, "type"))) {
+        virReportError(VIR_ERR_XML_ERROR, "%s",
+                       _("missing launch-security type"));
+        goto error;
+    }
+
+    def->sectype = virDomainLaunchSecurityTypeFromString(type);
+    switch ((virDomainLaunchSecurity) def->sectype) {
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+        break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+    case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+    default:
+        virReportError(VIR_ERR_XML_ERROR,
+                       _("unsupported launch-security type '%s'"),
+                       type);
+        goto error;
+    }
+
+    if (virXPathUInt("string(./cbitpos)", ctxt, &def->cbitpos) < 0) {
+        virReportError(VIR_ERR_XML_ERROR, "%s",
+                       _("failed to get launch-security cbitpos"));
+        goto error;
+    }
+
+    if (virXPathUInt("string(./reduced-phys-bits)", ctxt,
+                     &def->reduced_phys_bits) < 0) {
+        virReportError(VIR_ERR_XML_ERROR, "%s",
+                       _("failed to get launch-security reduced-phys-bits"));
+        goto error;
+    }
+
+    if (virXPathULongHex("string(./policy)", ctxt, &policy) < 0) {
+        virReportError(VIR_ERR_XML_ERROR, "%s",
+                       _("failed to get launch-security policy"));
+        goto error;
+    }
+
+    def->policy = policy;
+
+    if ((tmp = virXPathString("string(./dh-cert)", ctxt))) {
+        if (VIR_STRDUP(def->dh_cert, tmp) < 0)
+            goto error;
+
+        VIR_FREE(tmp);
+    }
+
+    if ((tmp = virXPathString("string(./session)", ctxt))) {
+        if (VIR_STRDUP(def->session, tmp) < 0)
+            goto error;
+
+        VIR_FREE(tmp);
+    }
+
+    ctxt->node = save;
+    return def;
+
+ error:
+    VIR_FREE(tmp);
+    virDomainSEVDefFree(def);
+    ctxt->node = save;
+    return NULL;
+}
+
 static virDomainMemoryDefPtr
 virDomainMemoryDefParseXML(virDomainXMLOptionPtr xmlopt,
                            xmlNodePtr memdevNode,
@@ -20631,6 +20729,13 @@ virDomainDefParseXML(xmlDocPtr xml,
     ctxt->node = node;
     VIR_FREE(nodes);
 
+    /* Check for SEV feature */
+    if ((node = virXPathNode("./launch-security", ctxt)) != NULL) {
+        def->sev = virDomainSEVDefParseXML(node, ctxt);
+        if (!def->sev)
+            goto error;
+    }
+
     /* analysis of memory devices */
     if ((n = virXPathNodeSet("./devices/memory", ctxt, &nodes)) < 0)
         goto error;
@@ -26642,6 +26747,32 @@ virDomainKeyWrapDefFormat(virBufferPtr buf, virDomainKeyWrapDefPtr keywrap)
     virBufferAddLit(buf, "</keywrap>\n");
 }
 
+
+static void
+virDomainSEVDefFormat(virBufferPtr buf, virDomainSevDefPtr sev)
+{
+    if (!sev)
+        return;
+
+    virBufferAsprintf(buf, "<launch-security type='%s'>\n",
+                      virDomainLaunchSecurityTypeToString(sev->sectype));
+    virBufferAdjustIndent(buf, 2);
+
+    virBufferAsprintf(buf, "<cbitpos>%d</cbitpos>\n", sev->cbitpos);
+    virBufferAsprintf(buf, "<reduced-phys-bits>%d</reduced-phys-bits>\n",
+                      sev->reduced_phys_bits);
+    virBufferAsprintf(buf, "<policy>0x%04x</policy>\n", sev->policy);
+    if (sev->dh_cert)
+        virBufferEscapeString(buf, "<dh-cert>%s</dh-cert>\n", sev->dh_cert);
+
+    if (sev->session)
+        virBufferEscapeString(buf, "<session>%s</session>\n", sev->session);
+
+    virBufferAdjustIndent(buf, -2);
+    virBufferAddLit(buf, "</launch-security>\n");
+}
+
+
 static void
 virDomainPerfDefFormat(virBufferPtr buf, virDomainPerfDefPtr perf)
 {
@@ -27906,6 +28037,8 @@ virDomainDefFormatInternal(virDomainDefPtr def,
     if (def->keywrap)
         virDomainKeyWrapDefFormat(buf, def->keywrap);
 
+    virDomainSEVDefFormat(buf, def->sev);
+
     virBufferAdjustIndent(buf, -2);
     virBufferAddLit(buf, "</domain>\n");
 
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index a41cdce6ff63adfe460a581ec028a5f00643f386..fe7a6bb21bee7eaa964d8981d6b1947887aec3da 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -142,6 +142,9 @@ typedef virDomainPanicDef *virDomainPanicDefPtr;
 typedef struct _virDomainMemoryDef virDomainMemoryDef;
 typedef virDomainMemoryDef *virDomainMemoryDefPtr;
 
+typedef struct _virDomainSevDef virDomainSevDef;
+typedef virDomainSevDef *virDomainSevDefPtr;
+
 /* forward declarations virDomainChrSourceDef, required by
  * virDomainNetDef
  */
@@ -2317,6 +2320,26 @@ struct _virDomainKeyWrapDef {
     int dea; /* enum virTristateSwitch */
 };
 
+typedef enum {
+    VIR_DOMAIN_LAUNCH_SECURITY_NONE,
+    VIR_DOMAIN_LAUNCH_SECURITY_SEV,
+
+    VIR_DOMAIN_LAUNCH_SECURITY_LAST,
+} virDomainLaunchSecurity;
+
+typedef struct _virDomainSevDef virDomainSevDef;
+typedef virDomainSevDef *virDomainSevDefPtr;
+
+struct _virDomainSevDef {
+    int sectype; /* enum virDomainLaunchSecurity */
+    char *dh_cert;
+    char *session;
+    unsigned int policy;
+    unsigned int cbitpos;
+    unsigned int reduced_phys_bits;
+};
+
+
 typedef enum {
     VIR_DOMAIN_IOMMU_MODEL_INTEL,
 
@@ -2508,6 +2531,9 @@ struct _virDomainDef {
 
     virDomainKeyWrapDefPtr keywrap;
 
+    /* SEV-specific domain */
+    virDomainSevDefPtr sev;
+
     /* Application-specific custom metadata */
     xmlNodePtr metadata;
 
@@ -3418,6 +3444,7 @@ VIR_ENUM_DECL(virDomainMemoryAllocation)
 VIR_ENUM_DECL(virDomainIOMMUModel)
 VIR_ENUM_DECL(virDomainVsockModel)
 VIR_ENUM_DECL(virDomainShmemModel)
+VIR_ENUM_DECL(virDomainLaunchSecurity)
 /* from libvirt.h */
 VIR_ENUM_DECL(virDomainState)
 VIR_ENUM_DECL(virDomainNostateReason)
diff --git a/tests/genericxml2xmlindata/launch-security-sev.xml b/tests/genericxml2xmlindata/launch-security-sev.xml
new file mode 100644
index 0000000000000000000000000000000000000000..fb64e1e4bec306df48ea142154400b1958e3ab60
--- /dev/null
+++ b/tests/genericxml2xmlindata/launch-security-sev.xml
@@ -0,0 +1,24 @@
+<domain type='kvm'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-1.0'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+  </devices>
+  <launch-security type='sev'>
+    <cbitpos>47</cbitpos>
+    <reduced-phys-bits>1</reduced-phys-bits>
+    <policy>0x0001</policy>
+    <dh-cert>AQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAAAQAAAAAOAAA</dh-cert>
+    <session>IHAVENOIDEABUTJUSTPROVIDINGASTRING</session>
+  </launch-security>
+</domain>
diff --git a/tests/genericxml2xmltest.c b/tests/genericxml2xmltest.c
index daad6e0f78d86e03984f71ce47a10a95a0e27b7b..7a4fc1eb7a798eb2ee860ddbd454ff42265ee026 100644
--- a/tests/genericxml2xmltest.c
+++ b/tests/genericxml2xmltest.c
@@ -143,6 +143,8 @@ mymain(void)
 
     DO_TEST("tseg");
 
+    DO_TEST("launch-security-sev");
+
     virObjectUnref(caps);
     virObjectUnref(xmlopt);
 

Bit(s)	Description
0	Debugging of the guest is disallowed when set
1	Sharing keys with other guests is disallowed when set
2	SEV-ES is required when set
3	Sending the guest to another platform is disallowed when set
4	The guest must not be transmitted to another platform that is + not in the domain when set.
5	The guest must not be transmitted to another platform that is + not SEV capable when set.
6:15	reserved
16:32	The guest must not be transmitted to another platform with a + lower firmware version.