diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 56d94bb1bae288c58fe5b824b9e64632c97b9db1..920b6fae64e3559c785144c7fe1dade9bd4dd5d5 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -8765,6 +8765,11 @@ these security states. For more information see the Learn the architecture -
 Arm Confidential Compute Architecture software stack:
 `<https://developer.arm.com/documentation/den0127/latest>`__
 
+Some modern AMD processors support Secure Encrypted Virtualization with Secure
+Nested Paging enhancement, also known as SEV-SNP. :since:`Since 10.5.0` To
+enable it ``<launchSecurity type='sev-snp'>`` should be used. It shares some
+attributes and elements with ``type='sev'`` but differs in others. Example configuration:
+
 ::
 
   <domain>
@@ -8773,6 +8778,15 @@ Arm Confidential Compute Architecture software stack:
       <measurement-algo>sha256</measurement-algo>
       <personalization-value>...</personalization-value>
     </launchSecurity>
+    <launchSecurity type='sev-snp' authorKey='yes' vcek='no'>
+      <cbitpos>47</cbitpos>
+      <reducedPhysBits>1</reducedPhysBits>
+      <policy>0x00030000</policy>
+      <guestVisibleWorkarounds>...</guestVisibleWorkarounds>
+      <idBlock>...</idBlock>
+      <idAuth>...</idAuth>
+      <hostData>.../hostData>
+    </launchSecurity>
     ...
   </domain>
 
@@ -8796,6 +8810,89 @@ The ``<launchSecurity/>`` element accepts the following attributes:
    The optional ``measurement-log`` element provides a way to create
    an event log in the format defined by the Trusted Computing Group
    for TPM2.
+``kernelHashes``
+   The optional ``kernelHashes`` attribute indicates whether the
+   hashes of the kernel, ramdisk and command line should be included
+   in the measurement done by the firmware. This is only valid if
+   using direct kernel boot.
+
+``authorKey``
+   The optional ``authorKey`` attribute indicates whether ``<idAuth/>`` element
+   contains the 'AUTHOR_KEY' field defined SEV-SNP firmware ABI.
+
+``vcek``
+   The optional ``vcek`` attribute indicates whether the guest is allowed to
+   chose between VLEK (Versioned Loaded Endorsement Key) or VCEK (Versioned
+   Chip Endorsement Key)  when requesting attestation reports from firmware.
+   Set this to ``no`` to disable the use of VCEK.
+
+Aforementioned SEV-SNP firmware ABI can be found here:
+`<https://www.amd.com/system/files/TechDocs/56860.pdf>`__
+
+The ``<launchSecurity/>`` element then accepts the following child elements:
+
+``cbitpos``
+   The required ``cbitpos`` element provides the C-bit (aka encryption bit)
+   location in guest page table entry. The value of ``cbitpos`` is hypervisor
+   dependent and can be obtained through the ``sev`` element from the domain
+   capabilities.
+``reducedPhysBits``
+   The required ``reducedPhysBits`` element provides the physical address bit
+   reduction. Similar to ``cbitpos`` the value of ``reduced-phys-bit`` is
+   hypervisor dependent and can be obtained through the ``sev`` element from the
+   domain capabilities.
+``policy``
+   The required ``policy`` element provides the guest policy which must be
+   maintained by the SEV-SNP firmware. This policy is enforced by the firmware
+   and restricts what configuration and operational commands can be performed
+   on this guest by the hypervisor. The guest policy provided during guest
+   launch is bound to the guest and cannot be changed throughout the lifetime
+   of the guest. The policy is also transmitted during snapshot and migration
+   flows and enforced on the destination platform. The guest policy is a 64bit
+   unsigned number with the fields shown in table (See section `4.3 Guest
+   Policy` in aforementioned firmware ABI specification):
+
+   ====== =========================================================================================
+   Bit(s) Description
+   ====== =========================================================================================
+   63:25  Reserved. Must be zero.
+   24     Ciphertext hiding must be enabled when set, otherwise may be enabled or disabled.
+   23     Running Average Power Limit (RAPL) must be disabled when set.
+   22     Require AES 256 XTS for memory encryption when set, otherwise AES 128 XEX may be allowed.
+   21     CXL can be populated with devices or memory when set.
+   20     Guest can be activated only on one socket when set.
+   19     Debugging is allowed when set.
+   18     Association with a migration agent is allowed when set.
+   17     Reserved. Must be set.
+   16     SMT is allowed.
+   15:8   The minimum ABI major version required for this guest to run.
+   7:0    The minimum ABI minor version required for this guest to run.
+   ====== =========================================================================================
+
+   The default value is hypervisor dependant and QEMU defaults to value 0x30000
+   meaning no minimum ABI major/minor version is required and SMT is allowed.
+
+``guestVisibleWorkarounds``
+   The optional ``guestVisibleWorkarounds`` element is a 16-byte,
+   base64-encoded blob to report hypervisor-defined workarounds, corresponding
+   to the 'GOSVW' parameter of the SNP_LAUNCH_START command defined in the
+   SEV-SNP firmware ABI.
+
+``idBlock``
+   The optional ``idBlock`` element is a 96-byte, base64-encoded blob to
+   provide the 'ID Block' structure for the SNP_LAUNCH_FINISH command defined
+   in the SEV-SNP firmware ABI.
+
+``idAuth``
+   The optional ``idAuth`` element is a 4096-byte, base64-encoded blob to
+   provide the 'ID Authentication Information Structure' for the
+   SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI.
+
+``hostData``
+   The optional ``hostData`` element is a 32-byte, base64-encoded, user-defined
+   blob to provide to the guest, as documented for the 'HOST_DATA' parameter of
+   the SNP_LAUNCH_FINISH command in the SEV-SNP firmware ABI.
+
 
 Example configs
 ===============
diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-domain.h
index a2549d001cab4282e0574c19d3816076fa3a66f6..2d8ec632c58e0097d48de51d18b3d71aac5e42c4 100644
--- a/include/libvirt/libvirt-domain.h
+++ b/include/libvirt/libvirt-domain.h
@@ -6330,6 +6330,16 @@ int virDomainSetLifecycleAction(virDomainPtr domain,
  */
 # define VIR_DOMAIN_LAUNCH_SECURITY_SEV_POLICY "sev-policy"
 
+/**
+ * VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP_POLICY:
+ *
+ * Macro represents the policy of the SEV-SNP guest,
+ * as VIR_TYPED_PARAM_ULLONG.
+ *
+ * Since: 10.5.0
+ */
+# define VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP_POLICY "sev-snp-policy"
+
 /**
  * VIR_DOMAIN_LAUNCH_SECURITY_SEV_SECRET_HEADER:
  *
diff --git a/src/conf/capabilities.c b/src/conf/capabilities.c
index 02298e40a310aa0754e65800cdfa9c25a421a76b..aca9be7c835703e2c63fc4345932172252d872e6 100644
--- a/src/conf/capabilities.c
+++ b/src/conf/capabilities.c
@@ -688,10 +688,8 @@ virCapabilitiesDomainDataLookupInternal(virCaps *caps,
         if (domaintype > VIR_DOMAIN_VIRT_NONE)
             virBufferAsprintf(&buf, "domaintype=%s ",
                               virDomainVirtTypeToString(domaintype));
-        if (emulator)
-            virBufferEscapeString(&buf, "emulator=%s ", emulator);
-        if (machinetype)
-            virBufferEscapeString(&buf, "machine=%s ", machinetype);
+        virBufferEscapeString(&buf, "emulator=%s ", emulator);
+        virBufferEscapeString(&buf, "machine=%s ", machinetype);
         if (virBufferCurrentContent(&buf) &&
             !virBufferCurrentContent(&buf)[0])
             virBufferAsprintf(&buf, "%s", _("any configuration"));
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index e30ec0dca4c788669edf682c284337884a6c7aa1..fcc12e0955180995b232605429bfba93bfd1caf3 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1515,6 +1515,7 @@ VIR_ENUM_IMPL(virDomainLaunchSecurity,
               VIR_DOMAIN_LAUNCH_SECURITY_LAST,
               "",
               "sev",
+              "sev-snp",
               "s390-pv",
               "cvm",
               "cca",
@@ -3827,7 +3828,7 @@ virDomainSecDefFree(virDomainSecDef *def)
     if (!def)
         return;
 
-    switch ((virDomainLaunchSecurity) def->sectype) {
+    switch (def->sectype) {
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
         g_free(def->data.sev.dh_cert);
         g_free(def->data.sev.session);
@@ -3835,6 +3836,12 @@ virDomainSecDefFree(virDomainSecDef *def)
         g_free(def->data.sev.secret_header);
         g_free(def->data.sev.secret);
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+        g_free(def->data.sev_snp.guest_visible_workarounds);
+        g_free(def->data.sev_snp.id_block);
+        g_free(def->data.sev_snp.id_auth);
+        g_free(def->data.sev_snp.host_data);
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
         g_free(def->data.cca.measurement_algo);
         g_free(def->data.cca.personalization_value);
@@ -5384,8 +5391,7 @@ virDomainDeviceInfoFormat(virBuffer *buf,
             if (rombar)
                 virBufferAsprintf(buf, " bar='%s'", rombar);
         }
-        if (info->romfile)
-            virBufferEscapeString(buf, " file='%s'", info->romfile);
+        virBufferEscapeString(buf, " file='%s'", info->romfile);
         virBufferAddLit(buf, "/>\n");
     }
 
@@ -13533,8 +13539,8 @@ virDomainMemoryTargetDefParseXML(xmlNodePtr node,
 
 
 static int
-virDomainSEVDefParseXML(virDomainSEVDef *def,
-                        xmlXPathContextPtr ctxt)
+virDomainSEVCommonDefParseXML(virDomainSEVCommonDef *def,
+                              xmlXPathContextPtr ctxt)
 {
     int rc;
 
@@ -13542,12 +13548,6 @@ virDomainSEVDefParseXML(virDomainSEVDef *def,
                                &def->kernel_hashes) < 0)
         return -1;
 
-    if (virXPathUIntBase("string(./policy)", ctxt, 16, &def->policy) < 0) {
-        virReportError(VIR_ERR_XML_ERROR, "%s",
-                       _("failed to get launch security policy"));
-        return -1;
-    }
-
     /* the following attributes are platform dependent and if missing, we can
      * autofill them from domain capabilities later
      */
@@ -13570,6 +13570,23 @@ virDomainSEVDefParseXML(virDomainSEVDef *def,
         return -1;
     }
 
+    return 0;
+}
+
+
+static int
+virDomainSEVDefParseXML(virDomainSEVDef *def,
+                        xmlXPathContextPtr ctxt)
+{
+    if (virDomainSEVCommonDefParseXML(&def->common, ctxt) < 0)
+        return -1;
+
+    if (virXPathUIntBase("string(./policy)", ctxt, 16, &def->policy) < 0) {
+        virReportError(VIR_ERR_XML_ERROR, "%s",
+                       _("failed to get launch security policy"));
+        return -1;
+    }
+
     def->dh_cert = virXPathString("string(./dhCert)", ctxt);
     def->session = virXPathString("string(./session)", ctxt);
     def->user_id = virXPathString("string(./userid)", ctxt);
@@ -13579,6 +13596,34 @@ virDomainSEVDefParseXML(virDomainSEVDef *def,
     return 0;
 }
 
+static int
+virDomainSEVSNPDefParseXML(virDomainSEVSNPDef *def,
+                           xmlXPathContextPtr ctxt)
+{
+    if (virDomainSEVCommonDefParseXML(&def->common, ctxt) < 0)
+        return -1;
+
+    if (virXMLPropTristateBool(ctxt->node, "authorKey", VIR_XML_PROP_NONE,
+                               &def->author_key) < 0)
+        return -1;
+
+    if (virXMLPropTristateBool(ctxt->node, "vcek", VIR_XML_PROP_NONE,
+                               &def->vcek) < 0)
+        return -1;
+
+    if (virXPathULongLongBase("string(./policy)", ctxt, 16, &def->policy) < 0) {
+        virReportError(VIR_ERR_XML_ERROR, "%s",
+                       _("failed to get launch security policy"));
+        return -1;
+    }
+
+    def->guest_visible_workarounds = virXPathString("string(./guestVisibleWorkarounds)", ctxt);
+    def->id_block = virXPathString("string(./idBlock)", ctxt);
+    def->id_auth = virXPathString("string(./idAuth)", ctxt);
+    def->host_data = virXPathString("string(./hostData)", ctxt);
+
+    return 0;
+}
 
 static int
 virDomainCCADefParseXML(virDomainCCADef *def,
@@ -13609,11 +13654,15 @@ virDomainSecDefParseXML(xmlNodePtr lsecNode,
                        &sec->sectype) < 0)
         return NULL;
 
-    switch ((virDomainLaunchSecurity) sec->sectype) {
+    switch (sec->sectype) {
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
         if (virDomainSEVDefParseXML(&sec->data.sev, ctxt) < 0)
             return NULL;
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+        if (virDomainSEVSNPDefParseXML(&sec->data.sev_snp, ctxt) < 0)
+            return NULL;
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
     case VIR_DOMAIN_LAUNCH_SECURITY_CVM:
         break;
@@ -18350,7 +18399,7 @@ virDomainMemorytuneDefParseMemory(xmlXPathContextPtr ctxt,
 
     if (virXMLPropUIntDefault(node, "min_bandwidth", 10, VIR_XML_PROP_NONE, &min_bandwidth, UINT_MAX) < 0)
         return -1;
-    
+
     if (min_bandwidth != UINT_MAX &&
         virResctrlAllocSetMemoryBandwidth(alloc, VIR_MEMORY_TYPE_MIN_BANDWIDTH, id, min_bandwidth) < 0)
         return -1;
@@ -22293,8 +22342,7 @@ virSecurityDeviceLabelDefFormat(virBuffer *buf,
 
     virBufferAddLit(buf, "<seclabel");
 
-    if (def->model)
-        virBufferEscapeString(buf, " model='%s'", def->model);
+    virBufferEscapeString(buf, " model='%s'", def->model);
 
     if (def->labelskip)
         virBufferAddLit(buf, " labelskip='yes'");
@@ -22489,8 +22537,7 @@ virDomainDiskSourceFormatNetwork(virBuffer *attrBuf,
         virBufferAsprintf(childBuf, "<timeout seconds='%llu'/>\n", src->timeout);
 
     if (src->protocol == VIR_STORAGE_NET_PROTOCOL_SSH) {
-        if (src->ssh_known_hosts_file)
-            virBufferEscapeString(childBuf, "<knownHosts path='%s'/>\n", src->ssh_known_hosts_file);
+        virBufferEscapeString(childBuf, "<knownHosts path='%s'/>\n", src->ssh_known_hosts_file);
         if (src->ssh_keyfile || src->ssh_agent) {
             virBufferAddLit(childBuf, "<identity");
 
@@ -23258,8 +23305,7 @@ virDomainControllerDefFormat(virBuffer *buf,
                       " type='%s' index='%d'",
                       type, def->idx);
 
-    if (model)
-        virBufferEscapeString(&attrBuf, " model='%s'", model);
+    virBufferEscapeString(&attrBuf, " model='%s'", model);
 
     switch (def->type) {
     case VIR_DOMAIN_CONTROLLER_TYPE_VIRTIO_SERIAL:
@@ -24678,8 +24724,7 @@ virDomainChrTargetDefFormat(virBuffer *buf,
 
         case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_XEN:
         case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO:
-            if (def->target.name)
-                virBufferEscapeString(buf, " name='%s'", def->target.name);
+            virBufferEscapeString(buf, " name='%s'", def->target.name);
 
             if (def->targetType == VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO &&
                 def->state != VIR_DOMAIN_CHR_DEVICE_STATE_DEFAULT &&
@@ -26086,9 +26131,8 @@ virDomainGraphicsDefFormat(virBuffer *buf,
             break;
         }
 
-        if (def->data.vnc.keymap)
-            virBufferEscapeString(buf, " keymap='%s'",
-                                  def->data.vnc.keymap);
+        virBufferEscapeString(buf, " keymap='%s'",
+                              def->data.vnc.keymap);
 
         if (def->data.vnc.sharePolicy)
             virBufferAsprintf(buf, " sharePolicy='%s'",
@@ -26103,13 +26147,11 @@ virDomainGraphicsDefFormat(virBuffer *buf,
         break;
 
     case VIR_DOMAIN_GRAPHICS_TYPE_SDL:
-        if (def->data.sdl.display)
-            virBufferEscapeString(buf, " display='%s'",
-                                  def->data.sdl.display);
+        virBufferEscapeString(buf, " display='%s'",
+                              def->data.sdl.display);
 
-        if (def->data.sdl.xauth)
-            virBufferEscapeString(buf, " xauth='%s'",
-                                  def->data.sdl.xauth);
+        virBufferEscapeString(buf, " xauth='%s'",
+                              def->data.sdl.xauth);
         if (def->data.sdl.fullscreen)
             virBufferAddLit(buf, " fullscreen='yes'");
 
@@ -26148,9 +26190,8 @@ virDomainGraphicsDefFormat(virBuffer *buf,
         break;
 
     case VIR_DOMAIN_GRAPHICS_TYPE_DESKTOP:
-        if (def->data.desktop.display)
-            virBufferEscapeString(buf, " display='%s'",
-                                  def->data.desktop.display);
+        virBufferEscapeString(buf, " display='%s'",
+                              def->data.desktop.display);
 
         if (def->data.desktop.fullscreen)
             virBufferAddLit(buf, " fullscreen='yes'");
@@ -26203,9 +26244,8 @@ virDomainGraphicsDefFormat(virBuffer *buf,
             break;
         }
 
-        if (def->data.spice.keymap)
-            virBufferEscapeString(buf, " keymap='%s'",
-                                  def->data.spice.keymap);
+        virBufferEscapeString(buf, " keymap='%s'",
+                              def->data.spice.keymap);
 
         if (def->data.spice.defaultMode != VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_ANY)
             virBufferAsprintf(buf, " defaultMode='%s'",
@@ -26582,11 +26622,9 @@ virDomainResourceDefFormat(virBuffer *buf,
     if (!def)
         return;
 
-    if (def->partition)
-        virBufferEscapeString(&childBuf, "<partition>%s</partition>\n", def->partition);
+    virBufferEscapeString(&childBuf, "<partition>%s</partition>\n", def->partition);
 
-    if (def->appid)
-        virBufferEscapeString(&childBuf, "<fibrechannel appid='%s'/>\n", def->appid);
+    virBufferEscapeString(&childBuf, "<fibrechannel appid='%s'/>\n", def->appid);
 
     virXMLFormatElement(buf, "resource", NULL, &childBuf);
 }
@@ -26732,6 +26770,73 @@ virDomainKeyWrapDefFormat(virBuffer *buf, virDomainKeyWrapDef *keywrap)
 }
 
 
+static void
+virDomainSEVCommonDefFormat(virBuffer *attrBuf,
+                            virBuffer *childBuf,
+                            virDomainSEVCommonDef *def)
+{
+    if (def->kernel_hashes != VIR_TRISTATE_BOOL_ABSENT)
+        virBufferAsprintf(attrBuf, " kernelHashes='%s'",
+                          virTristateBoolTypeToString(def->kernel_hashes));
+
+    if (def->haveCbitpos)
+        virBufferAsprintf(childBuf, "<cbitpos>%d</cbitpos>\n", def->cbitpos);
+
+    if (def->haveReducedPhysBits)
+        virBufferAsprintf(childBuf, "<reducedPhysBits>%d</reducedPhysBits>\n",
+                          def->reduced_phys_bits);
+}
+
+
+static void
+virDomainSEVDefFormat(virBuffer *attrBuf,
+                      virBuffer *childBuf,
+                      virDomainSEVDef *def)
+{
+    virDomainSEVCommonDefFormat(attrBuf, childBuf, &def->common);
+
+    virBufferAsprintf(childBuf, "<policy>0x%04x</policy>\n", def->policy);
+    virBufferEscapeString(childBuf, "<dhCert>%s</dhCert>\n", def->dh_cert);
+    virBufferEscapeString(childBuf, "<session>%s</session>\n", def->session);
+	if (def->user_id)
+		virBufferEscapeString(childBuf, "<userid>%s</userid>\n", def->user_id);
+	if (def->secret_header)
+		virBufferEscapeString(childBuf, "<secretHeader>%s</secretHeader>\n",
+		def->secret_header);
+	if (def->secret)
+		virBufferEscapeString(childBuf, "<secret>%s</secret>\n", def->secret);
+
+}
+
+
+static void
+virDomainSEVSNPDefFormat(virBuffer *attrBuf,
+                         virBuffer *childBuf,
+                         virDomainSEVSNPDef *def)
+{
+    virDomainSEVCommonDefFormat(attrBuf, childBuf, &def->common);
+
+    if (def->author_key != VIR_TRISTATE_BOOL_ABSENT) {
+        virBufferAsprintf(attrBuf, " authorKey='%s'",
+                          virTristateBoolTypeToString(def->author_key));
+    }
+
+    if (def->vcek != VIR_TRISTATE_BOOL_ABSENT) {
+        virBufferAsprintf(attrBuf, " vcek='%s'",
+                          virTristateBoolTypeToString(def->vcek));
+    }
+
+    virBufferAsprintf(childBuf, "<policy>0x%08llx</policy>\n", def->policy);
+
+    virBufferEscapeString(childBuf,
+                          "<guestVisibleWorkarounds>%s</guestVisibleWorkarounds>\n",
+                          def->guest_visible_workarounds);
+    virBufferEscapeString(childBuf, "<idBlock>%s</idBlock>\n", def->id_block);
+    virBufferEscapeString(childBuf, "<idAuth>%s</idAuth>\n", def->id_auth);
+    virBufferEscapeString(childBuf, "<hostData>%s</hostData>\n", def->host_data);
+}
+
+
 static void
 virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
 {
@@ -26744,36 +26849,14 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
     virBufferAsprintf(&attrBuf, " type='%s'",
                       virDomainLaunchSecurityTypeToString(sec->sectype));
 
-    switch ((virDomainLaunchSecurity) sec->sectype) {
-    case VIR_DOMAIN_LAUNCH_SECURITY_SEV: {
-        virDomainSEVDef *sev = &sec->data.sev;
-
-        if (sev->kernel_hashes != VIR_TRISTATE_BOOL_ABSENT)
-            virBufferAsprintf(&attrBuf, " kernelHashes='%s'",
-                              virTristateBoolTypeToString(sev->kernel_hashes));
-
-        if (sev->haveCbitpos)
-            virBufferAsprintf(&childBuf, "<cbitpos>%d</cbitpos>\n", sev->cbitpos);
-
-        if (sev->haveReducedPhysBits)
-            virBufferAsprintf(&childBuf, "<reducedPhysBits>%d</reducedPhysBits>\n",
-                              sev->reduced_phys_bits);
-        virBufferAsprintf(&childBuf, "<policy>0x%04x</policy>\n", sev->policy);
-        if (sev->dh_cert)
-            virBufferEscapeString(&childBuf, "<dhCert>%s</dhCert>\n", sev->dh_cert);
-
-        if (sev->session)
-            virBufferEscapeString(&childBuf, "<session>%s</session>\n", sev->session);
-
-        if (sev->user_id)
-            virBufferEscapeString(&childBuf, "<userid>%s</userid>\n", sev->user_id);
-        if (sev->secret_header)
-            virBufferEscapeString(&childBuf, "<secretHeader>%s</secretHeader>\n", sev->secret_header);
-        if (sev->secret)
-            virBufferEscapeString(&childBuf, "<secret>%s</secret>\n", sev->secret);
+    switch (sec->sectype) {
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+        virDomainSEVDefFormat(&attrBuf, &childBuf, &sec->data.sev);
+        break;
 
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+        virDomainSEVSNPDefFormat(&attrBuf, &childBuf, &sec->data.sev_snp);
         break;
-    }
 
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
     case VIR_DOMAIN_LAUNCH_SECURITY_CVM:
@@ -28020,9 +28103,8 @@ virDomainDefFormatInternalSetRootName(virDomainDef *def,
     for (i = 0; def->os.initenv && def->os.initenv[i]; i++)
         virBufferAsprintf(buf, "<initenv name='%s'>%s</initenv>\n",
                           def->os.initenv[i]->name, def->os.initenv[i]->value);
-    if (def->os.initdir)
-        virBufferEscapeString(buf, "<initdir>%s</initdir>\n",
-                              def->os.initdir);
+    virBufferEscapeString(buf, "<initdir>%s</initdir>\n",
+                          def->os.initdir);
     if (def->os.inituser)
         virBufferAsprintf(buf, "<inituser>%s</inituser>\n", def->os.inituser);
     if (def->os.initgroup)
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index cadca3324651092a3ef70101248c5afb272dde4e..7b2c932a18fba84c3d57e1e5ea0435f8f0d7f959 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2859,6 +2859,7 @@ struct _virDomainKeyWrapDef {
 typedef enum {
     VIR_DOMAIN_LAUNCH_SECURITY_NONE,
     VIR_DOMAIN_LAUNCH_SECURITY_SEV,
+    VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP,
     VIR_DOMAIN_LAUNCH_SECURITY_PV,
     VIR_DOMAIN_LAUNCH_SECURITY_CVM,
     VIR_DOMAIN_LAUNCH_SECURITY_CCA,
@@ -2867,15 +2868,19 @@ typedef enum {
 } virDomainLaunchSecurity;
 
 
-struct _virDomainSEVDef {
-    char *dh_cert;
-    char *session;
-    unsigned int policy;
+struct _virDomainSEVCommonDef {
     bool haveCbitpos;
     unsigned int cbitpos;
     bool haveReducedPhysBits;
     unsigned int reduced_phys_bits;
     virTristateBool kernel_hashes;
+};
+
+struct _virDomainSEVDef {
+    virDomainSEVCommonDef common;
+    char *dh_cert;
+    char *session;
+    unsigned int policy;
     char *user_id;
     char *secret_header;
     char *secret;
@@ -2887,10 +2892,23 @@ struct _virDomainCCADef {
     virTristateBool measurement_log;
 };
 
+struct _virDomainSEVSNPDef {
+    virDomainSEVCommonDef common;
+    unsigned long long policy;
+    char *guest_visible_workarounds;
+    char *id_block;
+    char *id_auth;
+    char *host_data;
+    virTristateBool author_key;
+    virTristateBool vcek;
+};
+
+
 struct _virDomainSecDef {
     virDomainLaunchSecurity sectype;
     union {
         virDomainSEVDef sev;
+        virDomainSEVSNPDef sev_snp;
         virDomainCCADef cca;
     } data;
 };
diff --git a/src/conf/domain_validate.c b/src/conf/domain_validate.c
index d88ef6b9152880717e05e72ac107108ddadaeaca..8f6f009f448a50791f7d722b36af81ca3880394b 100644
--- a/src/conf/domain_validate.c
+++ b/src/conf/domain_validate.c
@@ -1787,6 +1787,50 @@ virDomainDefValidateIOThreads(const virDomainDef *def)
 }
 
 
+#define CHECK_BASE64_LEN(val, elemName, exp_len) \
+{ \
+    size_t len; \
+    g_autofree unsigned char *tmp = NULL; \
+    if (val && (tmp = g_base64_decode(val, &len)) && len != exp_len) { \
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, \
+                       _("Unexpected length of '%1$s', expected %2$u got %3$zu"), \
+                        elemName, exp_len, len); \
+        return -1; \
+    } \
+}
+
+static int
+virDomainDefLaunchSecurityValidate(const virDomainDef *def)
+{
+    virDomainSEVSNPDef *sev_snp;
+
+    if (!def->sec)
+        return 0;
+
+    switch (def->sec->sectype) {
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+        sev_snp = &def->sec->data.sev_snp;
+
+        CHECK_BASE64_LEN(sev_snp->guest_visible_workarounds, "guestVisibleWorkarounds", 16);
+        CHECK_BASE64_LEN(sev_snp->id_block, "idBlock", 96);
+        CHECK_BASE64_LEN(sev_snp->id_auth, "idAuth", 4096);
+        CHECK_BASE64_LEN(sev_snp->host_data, "hostData", 32);
+        break;
+
+    case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+    case VIR_DOMAIN_LAUNCH_SECURITY_CVM:
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+    case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+        break;
+    }
+
+    return 0;
+}
+
+#undef CHECK_BASE64_LEN
+
 static int
 virDomainDefValidateInternal(const virDomainDef *def,
                              virDomainXMLOption *xmlopt)
@@ -1842,6 +1886,9 @@ virDomainDefValidateInternal(const virDomainDef *def,
     if (virDomainDefValidateIOThreads(def) < 0)
         return -1;
 
+    if (virDomainDefLaunchSecurityValidate(def) < 0)
+        return -1;
+
     return 0;
 }
 
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index 0449b6f07c7325650d336df63e5c0add0928530a..cc8956af538c44e37f23c8ea34e517c9a12a8b85 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -2043,10 +2043,8 @@ virNetworkDNSDefFormat(virBuffer *buf,
                                   def->srvs[i].service);
             virBufferEscapeString(buf, "protocol='%s'", def->srvs[i].protocol);
 
-            if (def->srvs[i].domain)
-                virBufferEscapeString(buf, " domain='%s'", def->srvs[i].domain);
-            if (def->srvs[i].target)
-                virBufferEscapeString(buf, " target='%s'", def->srvs[i].target);
+            virBufferEscapeString(buf, " domain='%s'", def->srvs[i].domain);
+            virBufferEscapeString(buf, " target='%s'", def->srvs[i].target);
             if (def->srvs[i].port)
                 virBufferAsprintf(buf, " port='%d'", def->srvs[i].port);
             if (def->srvs[i].priority)
diff --git a/src/conf/node_device_conf.c b/src/conf/node_device_conf.c
index f722ab37c60a60998f62fa5fa0a7f67cbac1e395..6c78c9a263381c27bcae540bf9f84cd2949a8b56 100644
--- a/src/conf/node_device_conf.c
+++ b/src/conf/node_device_conf.c
@@ -176,20 +176,16 @@ virNodeDeviceCapSystemDefFormat(virBuffer *buf,
 {
     char uuidstr[VIR_UUID_STRING_BUFLEN];
 
-    if (data->system.product_name)
-        virBufferEscapeString(buf, "<product>%s</product>\n",
-                              data->system.product_name);
+    virBufferEscapeString(buf, "<product>%s</product>\n",
+                          data->system.product_name);
     virBufferAddLit(buf, "<hardware>\n");
     virBufferAdjustIndent(buf, 2);
-    if (data->system.hardware.vendor_name)
-        virBufferEscapeString(buf, "<vendor>%s</vendor>\n",
-                              data->system.hardware.vendor_name);
-    if (data->system.hardware.version)
-        virBufferEscapeString(buf, "<version>%s</version>\n",
-                              data->system.hardware.version);
-    if (data->system.hardware.serial)
-        virBufferEscapeString(buf, "<serial>%s</serial>\n",
-                              data->system.hardware.serial);
+    virBufferEscapeString(buf, "<vendor>%s</vendor>\n",
+                          data->system.hardware.vendor_name);
+    virBufferEscapeString(buf, "<version>%s</version>\n",
+                          data->system.hardware.version);
+    virBufferEscapeString(buf, "<serial>%s</serial>\n",
+                          data->system.hardware.serial);
     virUUIDFormat(data->system.hardware.uuid, uuidstr);
     virBufferAsprintf(buf, "<uuid>%s</uuid>\n", uuidstr);
     virBufferAdjustIndent(buf, -2);
@@ -197,15 +193,12 @@ virNodeDeviceCapSystemDefFormat(virBuffer *buf,
 
     virBufferAddLit(buf, "<firmware>\n");
     virBufferAdjustIndent(buf, 2);
-    if (data->system.firmware.vendor_name)
-        virBufferEscapeString(buf, "<vendor>%s</vendor>\n",
-                              data->system.firmware.vendor_name);
-    if (data->system.firmware.version)
-        virBufferEscapeString(buf, "<version>%s</version>\n",
-                              data->system.firmware.version);
-    if (data->system.firmware.release_date)
-        virBufferEscapeString(buf, "<release_date>%s</release_date>\n",
-                              data->system.firmware.release_date);
+    virBufferEscapeString(buf, "<vendor>%s</vendor>\n",
+                          data->system.firmware.vendor_name);
+    virBufferEscapeString(buf, "<version>%s</version>\n",
+                          data->system.firmware.version);
+    virBufferEscapeString(buf, "<release_date>%s</release_date>\n",
+                          data->system.firmware.release_date);
     virBufferAdjustIndent(buf, -2);
     virBufferAddLit(buf, "</firmware>\n");
 }
@@ -225,9 +218,8 @@ virNodeDeviceCapMdevTypesFormat(virBuffer *buf,
             virMediatedDeviceType *type = mdev_types[i];
             virBufferEscapeString(buf, "<type id='%s'>\n", type->id);
             virBufferAdjustIndent(buf, 2);
-            if (type->name)
-                virBufferEscapeString(buf, "<name>%s</name>\n",
-                                      type->name);
+            virBufferEscapeString(buf, "<name>%s</name>\n",
+                                  type->name);
             virBufferEscapeString(buf, "<deviceAPI>%s</deviceAPI>\n",
                                   type->device_api);
             virBufferAsprintf(buf,
@@ -451,10 +443,9 @@ virNodeDeviceCapUSBInterfaceDefFormat(virBuffer *buf,
                       data->usb_if.subclass);
     virBufferAsprintf(buf, "<protocol>%d</protocol>\n",
                       data->usb_if.protocol);
-    if (data->usb_if.description)
-        virBufferEscapeString(buf,
-                              "<description>%s</description>\n",
-                              data->usb_if.description);
+    virBufferEscapeString(buf,
+                          "<description>%s</description>\n",
+                          data->usb_if.description);
 }
 
 
@@ -466,9 +457,8 @@ virNodeDeviceCapNetDefFormat(virBuffer *buf,
 
     virBufferEscapeString(buf, "<interface>%s</interface>\n",
                           data->net.ifname);
-    if (data->net.address)
-        virBufferEscapeString(buf, "<address>%s</address>\n",
-                              data->net.address);
+    virBufferEscapeString(buf, "<address>%s</address>\n",
+                          data->net.address);
     virInterfaceLinkFormat(buf, &data->net.lnk);
     if (data->net.features) {
         for (i = 0; i < VIR_NET_DEV_FEAT_LAST; i++) {
@@ -530,9 +520,8 @@ virNodeDeviceCapSCSIDefFormat(virBuffer *buf,
     virBufferAsprintf(buf, "<target>%d</target>\n",
                       data->scsi.target);
     virBufferAsprintf(buf, "<lun>%d</lun>\n", data->scsi.lun);
-    if (data->scsi.type)
-        virBufferEscapeString(buf, "<type>%s</type>\n",
-                              data->scsi.type);
+    virBufferEscapeString(buf, "<type>%s</type>\n",
+                          data->scsi.type);
 }
 
 
diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng
index 78773f744b35127b18cee430ff8e69ede2cd5e1b..8376da100dd7932670c371fc1da5d627551edf4d 100644
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -515,6 +515,9 @@
         <group>
           <ref name="launchSecuritySEV"/>
         </group>
+        <group>
+          <ref name="launchSecuritySEVSNP"/>
+        </group>
         <group>
           <attribute name="type">
             <value>s390-pv</value>
@@ -527,6 +530,19 @@
     </element>
   </define>
 
+  <define name="launchSecuritySEVCommon">
+    <optional>
+      <element name="cbitpos">
+        <data type="unsignedInt"/>
+      </element>
+    </optional>
+    <optional>
+      <element name="reducedPhysBits">
+        <data type="unsignedInt"/>
+      </element>
+    </optional>
+  </define>
+
   <define name="launchSecuritySEV">
     <attribute name="type">
       <value>sev</value>
@@ -537,16 +553,7 @@
       </attribute>
     </optional>
     <interleave>
-      <optional>
-        <element name="cbitpos">
-          <data type="unsignedInt"/>
-        </element>
-      </optional>
-      <optional>
-        <element name="reducedPhysBits">
-          <data type="unsignedInt"/>
-        </element>
-      </optional>
+      <ref name="launchSecuritySEVCommon"/>
       <element name="policy">
         <ref name="hexuint"/>
       </element>
@@ -574,6 +581,52 @@
     </attribute>
   </define>
 
+  <define name="launchSecuritySEVSNP">
+    <attribute name="type">
+      <value>sev-snp</value>
+    </attribute>
+    <optional>
+      <attribute name="kernelHashes">
+        <ref name="virYesNo"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="authorKey">
+        <ref name="virYesNo"/>
+      </attribute>
+    </optional>
+    <optional>
+      <attribute name="vcek">
+        <ref name="virYesNo"/>
+      </attribute>
+    </optional>
+    <interleave>
+      <ref name="launchSecuritySEVCommon"/>
+      <element name="policy">
+        <ref name="hexuint"/>
+      </element>
+      <optional>
+        <element name="guestVisibleWorkarounds">
+          <data type="string"/>
+        </element>
+      </optional>
+      <optional>
+        <element name="idBlock">
+          <data type="string"/>
+        </element>
+      </optional>
+      <optional>
+        <element name="idAuth">
+          <data type="string"/>
+        </element>
+      </optional>
+      <optional>
+        <element name="hostData">
+          <data type="string"/>
+        </element>
+      </optional>
+    </interleave>
+  </define>
   <!--
       Enable or disable perf events for the domain. For each
       of the events the following rules apply:
diff --git a/src/conf/snapshot_conf.c b/src/conf/snapshot_conf.c
index d7fcded302a44a635b6f933ecd5cb2cc67f992be..039ed77b846c23f474fde1fd9af2e6e33bbb0e2e 100644
--- a/src/conf/snapshot_conf.c
+++ b/src/conf/snapshot_conf.c
@@ -819,9 +819,8 @@ virDomainSnapshotDefFormatInternal(virBuffer *buf,
     virBufferAdjustIndent(buf, 2);
 
     virBufferEscapeString(buf, "<name>%s</name>\n", def->parent.name);
-    if (def->parent.description)
-        virBufferEscapeString(buf, "<description>%s</description>\n",
-                              def->parent.description);
+    virBufferEscapeString(buf, "<description>%s</description>\n",
+                          def->parent.description);
     if (def->state)
         virBufferAsprintf(buf, "<state>%s</state>\n",
                           virDomainSnapshotStateTypeToString(def->state));
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index 1849df5c6c9bd36259d2e72dfc40de68e4798d76..b86001ec5092cd797b8f72539072e0b2a254e502 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -317,16 +317,13 @@ virStorageEncryptionInfoDefFormat(virBuffer *buf,
 {
     virBufferEscapeString(buf, "<cipher name='%s'", enc->cipher_name);
     virBufferAsprintf(buf, " size='%u'", enc->cipher_size);
-    if (enc->cipher_mode)
-        virBufferEscapeString(buf, " mode='%s'", enc->cipher_mode);
-    if (enc->cipher_hash)
-        virBufferEscapeString(buf, " hash='%s'", enc->cipher_hash);
+    virBufferEscapeString(buf, " mode='%s'", enc->cipher_mode);
+    virBufferEscapeString(buf, " hash='%s'", enc->cipher_hash);
     virBufferAddLit(buf, "/>\n");
 
     if (enc->ivgen_name) {
         virBufferEscapeString(buf, "<ivgen name='%s'", enc->ivgen_name);
-        if (enc->ivgen_hash)
-            virBufferEscapeString(buf, " hash='%s'", enc->ivgen_hash);
+        virBufferEscapeString(buf, " hash='%s'", enc->ivgen_hash);
         virBufferAddLit(buf, "/>\n");
     }
 }
diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c
index f974a521b1f6b2bfc8adccf6cbc9982e664005ef..003fbf031e2910d9d697827b5f8887b0dd7b7735 100644
--- a/src/conf/storage_source_conf.c
+++ b/src/conf/storage_source_conf.c
@@ -1347,8 +1347,7 @@ int
 virStorageSourcePrivateDataFormatRelPath(virStorageSource *src,
                                          virBuffer *buf)
 {
-    if (src->relPath)
-        virBufferEscapeString(buf, "<relPath>%s</relPath>\n", src->relPath);
+    virBufferEscapeString(buf, "<relPath>%s</relPath>\n", src->relPath);
 
     return 0;
 }
diff --git a/src/conf/virconftypes.h b/src/conf/virconftypes.h
index 9eff2f014ec5560c52b546d07641ff6e5c9f6eaa..20f7dd17b4c63f7efc545acf07c6495eb772ad35 100644
--- a/src/conf/virconftypes.h
+++ b/src/conf/virconftypes.h
@@ -210,8 +210,12 @@ typedef struct _virDomainResctrlMonDef virDomainResctrlMonDef;
 
 typedef struct _virDomainResourceDef virDomainResourceDef;
 
+typedef struct _virDomainSEVCommonDef virDomainSEVCommonDef;
+
 typedef struct _virDomainSEVDef virDomainSEVDef;
 
+typedef struct _virDomainSEVSNPDef virDomainSEVSNPDef;
+
 typedef struct _virDomainCCADef virDomainCCADef;
 
 typedef struct _virDomainSecDef virDomainSecDef;
diff --git a/src/conf/virnwfilterbindingdef.c b/src/conf/virnwfilterbindingdef.c
index 423ed7a392b3cd692ce786c4bd0db2bf9faa98a3..fe45c843472136f3e45ceb0a1d47217c84453ef3 100644
--- a/src/conf/virnwfilterbindingdef.c
+++ b/src/conf/virnwfilterbindingdef.c
@@ -203,8 +203,7 @@ virNWFilterBindingDefFormatBuf(virBuffer *buf,
     virBufferAddLit(buf, "</owner>\n");
 
     virBufferEscapeString(buf, "<portdev name='%s'/>\n", def->portdevname);
-    if (def->linkdevname)
-        virBufferEscapeString(buf, "<linkdev name='%s'/>\n", def->linkdevname);
+    virBufferEscapeString(buf, "<linkdev name='%s'/>\n", def->linkdevname);
 
     virMacAddrFormat(&def->mac, mac);
     virBufferAsprintf(buf, "<mac address='%s'/>\n", mac);
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 90fb603adf003bf7d0370d2aed10ccfeea1cf2b9..52689842d68a55c620104ecf26b8df270667c69c 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -698,9 +698,22 @@ VIR_ENUM_IMPL(virQEMUCaps,
               /* 450 */
               "run-with.async-teardown", /* QEMU_CAPS_RUN_WITH_ASYNC_TEARDOWN */
               "virtio-blk-vhost-vdpa", /* QEMU_CAPS_DEVICE_VIRTIO_BLK_VHOST_VDPA */
-              "smp-clusters", /* QEMU_CAPS_SMP_CLUSTERS */
-              "tmm-guest", /* QEMU_CAPS_VIRTCCA */
+			  "virtio-blk.iothread-mapping", /* QEMU_CAPS_VIRTIO_BLK_IOTHREAD_MAPPING */
+
+			  "smp-clusters", /* QEMU_CAPS_SMP_CLUSTERS */
+			  "tmm-guest", /* QEMU_CAPS_VIRTCCA */
+
+			  /* 455 */
+			  "blockjob.backing-mask-protocol", /* QEMU_CAPS_BLOCKJOB_BACKING_MASK_PROTOCOL */
+			  "display-reload", /* QEMU_CAPS_DISPLAY_RELOAD */
+			  "usb-mtp", /* QEMU_CAPS_DEVICE_USB_MTP */
+			  "machine.virt.ras", /* QEMU_CAPS_MACHINE_VIRT_RAS */
+			  "virtio-sound", /* QEMU_CAPS_DEVICE_VIRTIO_SOUND */
+
+			  /* 460 */
+			  "sev-snp-guest", /* QEMU_CAPS_SEV_SNP_GUEST */
               "rme-guest", /* QEMU_CAPS_CCA_GUEST */
+
     );
 
 
@@ -1394,7 +1407,10 @@ struct virQEMUCapsStringFlags virQEMUCapsObjectTypes[] = {
     { "cryptodev-backend-lkcf", QEMU_CAPS_OBJECT_CRYPTO_LKCF },
     { "pvpanic-pci", QEMU_CAPS_DEVICE_PANIC_PCI },
     { "tmm-guest", QEMU_CAPS_VIRTCCA },
+    { "sev-snp-guest", QEMU_CAPS_SEV_SNP_GUEST },
     { "rme-guest", QEMU_CAPS_CCA_GUEST },
+
+
 };
 
 
@@ -1432,6 +1448,7 @@ static struct virQEMUCapsDevicePropsFlags virQEMUCapsDevicePropsVirtioBlk[] = {
     { "scsi", QEMU_CAPS_VIRTIO_BLK_SCSI, virQEMUCapsDevicePropsVirtioBlkSCSIDefault },
     { "queue-size", QEMU_CAPS_VIRTIO_BLK_QUEUE_SIZE, NULL },
     { "acpi-index", QEMU_CAPS_ACPI_INDEX, NULL },
+	{ "iothread-vq-mapping", QEMU_CAPS_VIRTIO_BLK_IOTHREAD_MAPPING, NULL },
 };
 
 static struct virQEMUCapsDevicePropsFlags virQEMUCapsDevicePropsVirtioNet[] = {
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index e4a97bc49113415504b1551a8b1b31ff417491a2..3b6f8cce41bb50593b60d497bc7205609b94c64a 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -677,10 +677,23 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check */
     /* 450 */
     QEMU_CAPS_RUN_WITH_ASYNC_TEARDOWN, /* asynchronous teardown -run-with async-teardown=on|off */
     QEMU_CAPS_DEVICE_VIRTIO_BLK_VHOST_VDPA, /* virtio-blk-vhost-vdpa block driver */
+    QEMU_CAPS_VIRTIO_BLK_IOTHREAD_MAPPING, /* virtio-blk supports per-virtqueue iothread mapping */
     QEMU_CAPS_SMP_CLUSTERS, /* -smp clusters= */
+
     QEMU_CAPS_VIRTCCA, /* tmm-guest */
+
+	/* 455 */
+	QEMU_CAPS_BLOCKJOB_BACKING_MASK_PROTOCOL, /* backing-mask-protocol of block-commit/block-stream */
+	QEMU_CAPS_DISPLAY_RELOAD, /* 'display-reload' qmp command is supported */
+	QEMU_CAPS_DEVICE_USB_MTP, /* -device usb-mtp */
+	QEMU_CAPS_MACHINE_VIRT_RAS, /* -machine virt,ras= */
+	QEMU_CAPS_DEVICE_VIRTIO_SOUND, /* -device virtio-sound-* */
+
+	/* 460 */
+	QEMU_CAPS_SEV_SNP_GUEST, /* -object sev-snp-guest */
     QEMU_CAPS_CCA_GUEST, /* -object rme-guest */
 
+
     QEMU_CAPS_LAST /* this must always be the last item */
 } virQEMUCapsFlags;
 
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 47402b37507b6728501391c784b6b5a360f0a55b..ae50a3a1241be10aac178d219db99f1f6c179d26 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -844,10 +844,24 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
             return -1;
     }
 
-    if (vm->def->sec &&
-        vm->def->sec->sectype == VIR_DOMAIN_LAUNCH_SECURITY_SEV &&
-        qemuSetupSEVCgroup(vm) < 0)
-        return -1;
+    if (vm->def->sec) {
+        switch (vm->def->sec->sectype) {
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+            if (qemuSetupSEVCgroup(vm) < 0)
+                return -1;
+            break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+            break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            break;
+	case VIR_DOMAIN_LAUNCH_SECURITY_CVM:
+        case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+        case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+            virReportEnumRangeError(virDomainLaunchSecurity, vm->def->sec->sectype);
+            return -1;
+        }
+    }
 
     return 0;
 }
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index cc8ecfa9fb741575a26bd550204effaa2b38ecfe..90717b34d9a642d07e09d6578bf57a7627307b10 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7055,8 +7055,9 @@ qemuBuildMachineCommandLine(virCommand *cmd,
     qemuAppendLoadparmMachineParm(&buf, def);
 
     if (def->sec) {
-        switch ((virDomainLaunchSecurity) def->sec->sectype) {
+        switch (def->sec->sectype) {
         case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
             if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT)) {
                 virBufferAddLit(&buf, ",confidential-guest-support=lsec0");
             } else {
@@ -9814,7 +9815,7 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
     g_autofree char *secretpath = NULL;
 
     VIR_DEBUG("policy=0x%x cbitpos=%d reduced_phys_bits=%d",
-              sev->policy, sev->cbitpos, sev->reduced_phys_bits);
+              sev->policy, sev->common.cbitpos, sev->common.reduced_phys_bits);
 
     if (sev->user_id)
         VIR_DEBUG("user_id=%s", sev->user_id);
@@ -9832,13 +9833,13 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
         secretpath = g_strdup_printf("%s/secret.base64", priv->libDir);
 
     if (qemuMonitorCreateObjectProps(&props, "sev-guest", "lsec0",
-                                     "u:cbitpos", sev->cbitpos,
-                                     "u:reduced-phys-bits", sev->reduced_phys_bits,
+                                     "u:cbitpos", sev->common.cbitpos,
+                                     "u:reduced-phys-bits", sev->common.reduced_phys_bits,
                                      "u:policy", sev->policy,
                                      "S:user-id", sev->user_id,
                                      "S:dh-cert-file", dhpath,
                                      "S:session-file", sessionpath,
-                                     "T:kernel-hashes", sev->kernel_hashes,
+                                     "T:kernel-hashes", sev->common.kernel_hashes,
                                      "S:secret-header-file", secretheaderpath,
                                      "S:secret-file", secretpath,
                                      NULL) < 0)
@@ -9851,6 +9852,46 @@ qemuBuildSEVCommandLine(virDomainObj *vm, virCommand *cmd,
 }
 
 
+static int
+qemuBuildSEVSNPCommandLine(virDomainObj *vm,
+                           virCommand *cmd,
+                           virDomainSEVSNPDef *def)
+{
+    g_autoptr(virJSONValue) props = NULL;
+    qemuDomainObjPrivate *priv = vm->privateData;
+    virTristateBool vcek_disabled = VIR_TRISTATE_BOOL_ABSENT;
+
+    VIR_DEBUG("policy=0x%llx cbitpos=%d reduced_phys_bits=%d",
+              def->policy, def->common.cbitpos, def->common.reduced_phys_bits);
+
+    /* On QEMU cmd line, there's vcek-disabled which is an inverted boolean. */
+    if (def->vcek == VIR_TRISTATE_BOOL_YES) {
+        vcek_disabled = VIR_TRISTATE_BOOL_NO;
+    } else if (def->vcek == VIR_TRISTATE_BOOL_NO) {
+        vcek_disabled = VIR_TRISTATE_BOOL_YES;
+    }
+
+    if (qemuMonitorCreateObjectProps(&props, "sev-snp-guest", "lsec0",
+                                     "u:cbitpos", def->common.cbitpos,
+                                     "u:reduced-phys-bits", def->common.reduced_phys_bits,
+                                     "T:kernel-hashes", def->common.kernel_hashes,
+                                     "U:policy", def->policy,
+                                     "S:guest-visible-workarounds", def->guest_visible_workarounds,
+                                     "S:id-block", def->id_block,
+                                     "S:id-auth", def->id_auth,
+                                     "S:host-data", def->host_data,
+                                     "T:author-key-enabled", def->author_key,
+                                     "T:vcek-disabled", vcek_disabled,
+                                     NULL) < 0)
+        return -1;
+
+    if (qemuBuildObjectCommandlineFromJSON(cmd, props, priv->qemuCaps) < 0)
+        return -1;
+
+    return 0;
+}
+
+
 static int
 qemuBuildPVCommandLine(virDomainObj *vm, virCommand *cmd)
 {
@@ -9898,10 +9939,13 @@ qemuBuildSecCommandLine(virDomainObj *vm, virCommand *cmd,
     if (!sec)
         return 0;
 
-    switch ((virDomainLaunchSecurity) sec->sectype) {
+    switch (sec->sectype) {
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
         return qemuBuildSEVCommandLine(vm, cmd, &sec->data.sev);
         break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+        return qemuBuildSEVSNPCommandLine(vm, cmd, &sec->data.sev_snp);
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         return qemuBuildPVCommandLine(vm, cmd);
         break;
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index df275c403c78fa586c59f52eb9b824627764dc2a..8254beb5d14cb9720f0d13004ae744f6c9270f34 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -19030,10 +19030,7 @@ qemuDomainGetSEVInfo(virDomainObj *vm,
     int ret = -1;
     int rv;
     g_autofree char *tmp = NULL;
-    unsigned int apiMajor = 0;
-    unsigned int apiMinor = 0;
-    unsigned int buildID = 0;
-    unsigned int policy = 0;
+    qemuMonitorSEVInfo info = { };
     int maxpar = 0;
 
     virCheckFlags(VIR_TYPED_PARAM_STRING_OKAY, -1);
@@ -19048,14 +19045,12 @@ qemuDomainGetSEVInfo(virDomainObj *vm,
     qemuDomainObjEnterMonitor(vm);
     tmp = qemuMonitorGetSEVMeasurement(QEMU_DOMAIN_PRIVATE(vm)->mon);
 
-
     if (!tmp) {
         qemuDomainObjExitMonitor(vm);
         goto endjob;
     }
 
-    rv = qemuMonitorGetSEVInfo(QEMU_DOMAIN_PRIVATE(vm)->mon,
-                               &apiMajor, &apiMinor, &buildID, &policy);
+    rv = qemuMonitorGetSEVInfo(QEMU_DOMAIN_PRIVATE(vm)->mon, &info);
     qemuDomainObjExitMonitor(vm);
 
     if (rv < 0)
@@ -19067,21 +19062,36 @@ qemuDomainGetSEVInfo(virDomainObj *vm,
         goto endjob;
     if (virTypedParamsAddUInt(params, nparams, &maxpar,
                               VIR_DOMAIN_LAUNCH_SECURITY_SEV_API_MAJOR,
-                              apiMajor) < 0)
+                              info.apiMajor) < 0)
         goto endjob;
     if (virTypedParamsAddUInt(params, nparams, &maxpar,
                               VIR_DOMAIN_LAUNCH_SECURITY_SEV_API_MINOR,
-                              apiMinor) < 0)
+                              info.apiMinor) < 0)
         goto endjob;
     if (virTypedParamsAddUInt(params, nparams, &maxpar,
                               VIR_DOMAIN_LAUNCH_SECURITY_SEV_BUILD_ID,
-                              buildID) < 0)
-        goto endjob;
-    if (virTypedParamsAddUInt(params, nparams, &maxpar,
-                              VIR_DOMAIN_LAUNCH_SECURITY_SEV_POLICY,
-                              policy) < 0)
+                              info.buildID) < 0)
         goto endjob;
 
+    switch (info.type) {
+    case QEMU_MONITOR_SEV_GUEST_TYPE_SEV:
+        if (virTypedParamsAddUInt(params, nparams, &maxpar,
+                                  VIR_DOMAIN_LAUNCH_SECURITY_SEV_POLICY,
+                                  info.data.sev.policy) < 0)
+            goto endjob;
+        break;
+
+    case QEMU_MONITOR_SEV_GUEST_TYPE_SEV_SNP:
+        if (virTypedParamsAddULLong(params, nparams, &maxpar,
+                                    VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP_POLICY,
+                                    info.data.sev_snp.snp_policy) < 0)
+            goto endjob;
+        break;
+
+    case QEMU_MONITOR_SEV_GUEST_TYPE_LAST:
+        break;
+    }
+
     ret = 0;
 
  endjob:
@@ -19105,10 +19115,26 @@ qemuDomainGetLaunchSecurityInfo(virDomainPtr domain,
     if (virDomainGetLaunchSecurityInfoEnsureACL(domain->conn, vm->def) < 0)
         goto cleanup;
 
-    if (vm->def->sec &&
-        vm->def->sec->sectype == VIR_DOMAIN_LAUNCH_SECURITY_SEV) {
+    if (!vm->def->sec) {
+        ret = 0;
+        goto cleanup;
+    }
+
+    switch (vm->def->sec->sectype) {
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
         if (qemuDomainGetSEVInfo(vm, params, nparams, flags) < 0)
             goto cleanup;
+        break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+        break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            break;
+    case VIR_DOMAIN_LAUNCH_SECURITY_CVM:
+    case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+    case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+        virReportEnumRangeError(virDomainLaunchSecurity, vm->def->sec->sectype);
+        return -1;
     }
 
     ret = 0;
diff --git a/src/qemu/qemu_firmware.c b/src/qemu/qemu_firmware.c
index 85f74b494caa4d54f559d0bda4f98abaae6338a9..70fd58b26ad7acd389907e9f156f553e755cac2e 100644
--- a/src/qemu/qemu_firmware.c
+++ b/src/qemu/qemu_firmware.c
@@ -148,6 +148,7 @@ typedef enum {
     QEMU_FIRMWARE_FEATURE_ACPI_S4,
     QEMU_FIRMWARE_FEATURE_AMD_SEV,
     QEMU_FIRMWARE_FEATURE_AMD_SEV_ES,
+    QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP,
     QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS,
     QEMU_FIRMWARE_FEATURE_REQUIRES_SMM,
     QEMU_FIRMWARE_FEATURE_SECURE_BOOT,
@@ -165,6 +166,7 @@ VIR_ENUM_IMPL(qemuFirmwareFeature,
               "acpi-s4",
               "amd-sev",
               "amd-sev-es",
+              "amd-sev-snp",
               "enrolled-keys",
               "requires-smm",
               "secure-boot",
@@ -1183,6 +1185,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
     bool requiresSMM = false;
     bool supportsSEV = false;
     bool supportsSEVES = false;
+    bool supportsSEVSNP = false;
     bool supportsSecureBoot = false;
     bool hasEnrolledKeys = false;
     int reqSecureBoot;
@@ -1230,6 +1233,10 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
             supportsSEVES = true;
             break;
 
+        case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
+            supportsSEVSNP = true;
+            break;
+
         case QEMU_FIRMWARE_FEATURE_REQUIRES_SMM:
             requiresSMM = true;
             break;
@@ -1358,7 +1365,7 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
     }
 
     if (def->sec) {
-        switch ((virDomainLaunchSecurity) def->sec->sectype) {
+        switch (def->sec->sectype) {
         case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
             if (!supportsSEV) {
                 VIR_DEBUG("Domain requires SEV, firmware '%s' doesn't support it",
@@ -1373,6 +1380,14 @@ qemuFirmwareMatchDomain(const virDomainDef *def,
                 return false;
             }
             break;
+
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+            if (!supportsSEVSNP) {
+                VIR_DEBUG("Domain requires SEV-SNP firmware '%s' doesn't support it",
+                          path);
+                return false;
+            }
+            break;
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
         case VIR_DOMAIN_LAUNCH_SECURITY_CVM:
             break;
@@ -1486,6 +1501,7 @@ qemuFirmwareEnableFeaturesModern(virDomainDef *def,
         case QEMU_FIRMWARE_FEATURE_ACPI_S4:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
+        case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
         case QEMU_FIRMWARE_FEATURE_NONE:
@@ -1536,6 +1552,7 @@ qemuFirmwareSanityCheck(const qemuFirmware *fw,
         case QEMU_FIRMWARE_FEATURE_ACPI_S4:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV:
         case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
+        case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
         case QEMU_FIRMWARE_FEATURE_VERBOSE_STATIC:
         case QEMU_FIRMWARE_FEATURE_LAST:
@@ -1965,6 +1982,7 @@ qemuFirmwareGetSupported(const char *machine,
             case QEMU_FIRMWARE_FEATURE_ACPI_S4:
             case QEMU_FIRMWARE_FEATURE_AMD_SEV:
             case QEMU_FIRMWARE_FEATURE_AMD_SEV_ES:
+            case QEMU_FIRMWARE_FEATURE_AMD_SEV_SNP:
             case QEMU_FIRMWARE_FEATURE_ENROLLED_KEYS:
             case QEMU_FIRMWARE_FEATURE_SECURE_BOOT:
             case QEMU_FIRMWARE_FEATURE_VERBOSE_DYNAMIC:
diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
index 5cfe285d0854c744582acda31671e259e12748b6..3169d00a836c0958a07ffe45ea66f1d5f9e53db1 100644
--- a/src/qemu/qemu_monitor.c
+++ b/src/qemu/qemu_monitor.c
@@ -4091,14 +4091,11 @@ qemuMonitorGetSEVMeasurement(qemuMonitor *mon)
 
 int
 qemuMonitorGetSEVInfo(qemuMonitor *mon,
-                      unsigned int *apiMajor,
-                      unsigned int *apiMinor,
-                      unsigned int *buildID,
-                      unsigned int *policy)
+                      qemuMonitorSEVInfo *info)
 {
     QEMU_CHECK_MONITOR(mon);
 
-    return qemuMonitorJSONGetSEVInfo(mon, apiMajor, apiMinor, buildID, policy);
+    return qemuMonitorJSONGetSEVInfo(mon, info);
 }
 
 
diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h
index 902f82ca65b88448e66d1b332dcc36453fed88df..3ab9ccd56ede98f0ad36424d75f870fc2ecadabb 100644
--- a/src/qemu/qemu_monitor.h
+++ b/src/qemu/qemu_monitor.h
@@ -1354,14 +1354,43 @@ int qemuMonitorBlockdevMediumInsert(qemuMonitor *mon,
 char *
 qemuMonitorGetSEVMeasurement(qemuMonitor *mon);
 
+typedef struct _qemuMonitorSEVGuestInfo qemuMonitorSEVGuestInfo;
+struct _qemuMonitorSEVGuestInfo {
+    unsigned int policy;
+    unsigned int handle;
+};
+
+typedef struct _qemuMonitorSEVSNPGuestInfo qemuMonitorSEVSNPGuestInfo;
+struct _qemuMonitorSEVSNPGuestInfo {
+    unsigned long long snp_policy;
+};
+
+
+typedef enum {
+    QEMU_MONITOR_SEV_GUEST_TYPE_SEV,
+    QEMU_MONITOR_SEV_GUEST_TYPE_SEV_SNP,
+
+    QEMU_MONITOR_SEV_GUEST_TYPE_LAST
+} qemuMonitorSEVGuestType;
+
+VIR_ENUM_DECL(qemuMonitorSEVGuest);
+
+typedef struct _qemuMonitorSEVInfo qemuMonitorSEVInfo;
+struct _qemuMonitorSEVInfo {
+    unsigned int apiMajor;
+    unsigned int apiMinor;
+    unsigned int buildID;
+    qemuMonitorSEVGuestType type;
+    union {
+        qemuMonitorSEVGuestInfo sev;
+        qemuMonitorSEVSNPGuestInfo sev_snp;
+    } data;
+};
+
 int
 qemuMonitorGetSEVInfo(qemuMonitor *mon,
-                      unsigned int *apiMajor,
-                      unsigned int *apiMinor,
-                      unsigned int *buildID,
-                      unsigned int *policy)
-    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
-    ATTRIBUTE_NONNULL(4) ATTRIBUTE_NONNULL(5);
+                      qemuMonitorSEVInfo *info)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
 
 int
 qemuMonitorSetLaunchSecurityState(qemuMonitor *mon,
diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c
index d6dccfeda60a561ec1bc5b7f07fdd0dcb95a1d76..4394c62374a0f02049f935444ca67bd9fe2b15f1 100644
--- a/src/qemu/qemu_monitor_json.c
+++ b/src/qemu/qemu_monitor_json.c
@@ -8121,13 +8121,20 @@ qemuMonitorJSONGetSEVMeasurement(qemuMonitor *mon)
     if (!(data = qemuMonitorJSONGetReply(cmd, reply, VIR_JSON_TYPE_OBJECT)))
         return NULL;
 
-    if (!(tmp = virJSONValueObjectGetString(data, "data")))
+    if (!(tmp = virJSONValueObjectGetString(data, "data"))) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("query-sev-launch-measure reply was missing 'data'"));
         return NULL;
+    }
 
     return g_strdup(tmp);
 }
 
 
+VIR_ENUM_IMPL(qemuMonitorSEVGuest,
+              QEMU_MONITOR_SEV_GUEST_TYPE_LAST,
+              "sev", "sev-snp");
+
 /**
  * Retrieve info about the SEV setup, returning those fields that
  * are required to do a launch attestation, as per
@@ -8141,13 +8148,15 @@ qemuMonitorJSONGetSEVMeasurement(qemuMonitor *mon)
  *  { "return": { "enabled": true, "api-major" : 0, "api-minor" : 0,
  *                "build-id" : 0, "policy" : 0, "state" : "running",
  *                "handle" : 1 } }
+ *
+ *  Or newer (as of QEMU v9.0.0-1155-g59d3740cb4):
+ *
+ *  {"return": {"enabled": true, "api-minor": 55, "handle": 1, "state": "launch-secret",
+ *              "api-major": 1, "sev-type": "sev", "build-id": 21, "policy": 1}}
  */
 int
 qemuMonitorJSONGetSEVInfo(qemuMonitor *mon,
-                          unsigned int *apiMajor,
-                          unsigned int *apiMinor,
-                          unsigned int *buildID,
-                          unsigned int *policy)
+                          qemuMonitorSEVInfo *info)
 {
     g_autoptr(virJSONValue) cmd = NULL;
     g_autoptr(virJSONValue) reply = NULL;
@@ -8162,13 +8171,51 @@ qemuMonitorJSONGetSEVInfo(qemuMonitor *mon,
     if (!(data = qemuMonitorJSONGetReply(cmd, reply, VIR_JSON_TYPE_OBJECT)))
         return -1;
 
-    if (virJSONValueObjectGetNumberUint(data, "api-major", apiMajor) < 0 ||
-        virJSONValueObjectGetNumberUint(data, "api-minor", apiMinor) < 0 ||
-        virJSONValueObjectGetNumberUint(data, "build-id", buildID) < 0 ||
-        virJSONValueObjectGetNumberUint(data, "policy", policy) < 0)
-        return -1;
+    if (virJSONValueObjectGetNumberUint(data, "api-major", &info->apiMajor) < 0 ||
+        virJSONValueObjectGetNumberUint(data, "api-minor", &info->apiMinor) < 0 ||
+        virJSONValueObjectGetNumberUint(data, "build-id", &info->buildID) < 0) {
+        goto error;
+    }
+
+    if (virJSONValueObjectHasKey(data, "sev-type")) {
+        const char *sevTypeStr = virJSONValueObjectGetString(data, "sev-type");
+        int sevType;
+
+        if ((sevType = qemuMonitorSEVGuestTypeFromString(sevTypeStr)) < 0) {
+            virReportError(VIR_ERR_INTERNAL_ERROR,
+                           _("unknown SEV type '%1$s'"),
+                           sevTypeStr);
+            return -1;
+        }
+
+        info->type = sevType;
+    } else {
+        info->type = QEMU_MONITOR_SEV_GUEST_TYPE_SEV;
+    }
+
+    switch (info->type) {
+    case QEMU_MONITOR_SEV_GUEST_TYPE_SEV:
+        if (virJSONValueObjectGetNumberUint(data, "policy", &info->data.sev.policy) < 0 ||
+            virJSONValueObjectGetNumberUint(data, "handle", &info->data.sev.handle) < 0) {
+            goto error;
+        }
+        break;
+
+    case QEMU_MONITOR_SEV_GUEST_TYPE_SEV_SNP:
+        if (virJSONValueObjectGetNumberUlong(data, "snp-policy", &info->data.sev_snp.snp_policy) < 0)
+            goto error;
+        break;
+
+    case QEMU_MONITOR_SEV_GUEST_TYPE_LAST:
+        break;
+    }
 
     return 0;
+
+ error:
+    virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                   _("query-sev reply was missing some data"));
+    return -1;
 }
 
 
diff --git a/src/qemu/qemu_monitor_json.h b/src/qemu/qemu_monitor_json.h
index cdf9f5efc4657f26de385e4aa8474dabdbea85b4..962bf77374532cb7a8daa78e5a7a8d8f09e3181e 100644
--- a/src/qemu/qemu_monitor_json.h
+++ b/src/qemu/qemu_monitor_json.h
@@ -425,12 +425,8 @@ qemuMonitorJSONGetSEVMeasurement(qemuMonitor *mon);
 
 int
 qemuMonitorJSONGetSEVInfo(qemuMonitor *mon,
-                          unsigned int *apiMajor,
-                          unsigned int *apiMinor,
-                          unsigned int *buildID,
-                          unsigned int *policy)
-    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
-    ATTRIBUTE_NONNULL(4) ATTRIBUTE_NONNULL(5);
+                          qemuMonitorSEVInfo *info)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
 
 int
 qemuMonitorJSONGetVersion(qemuMonitor *mon,
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index b6c8b9bb96beb70c67f4650dbf06140e97737606..1153d56de2cb0510a32cb16d22f0fbc7f41a486a 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -651,8 +651,9 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
     if (!sec)
         return 0;
 
-    switch ((virDomainLaunchSecurity) sec->sectype) {
+    switch (sec->sectype) {
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
         VIR_DEBUG("Setting up launch security for SEV");
 
         *paths = g_slist_prepend(*paths, g_strdup(QEMU_DEV_SEV));
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 4141ea813b830d719a5ed2c126f16b4fae478a1a..fc89f909b274c4031db38f60b5e6f9ea052f1ebc 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6811,14 +6811,14 @@ qemuProcessUpdateSEVInfo(virDomainObj *vm)
      * mandatory on QEMU cmdline
      */
     sevCaps = virQEMUCapsGetSEVCapabilities(qemuCaps);
-    if (!sev->haveCbitpos) {
-        sev->cbitpos = sevCaps->cbitpos;
-        sev->haveCbitpos = true;
+    if (!sev->common.haveCbitpos) {
+        sev->common.cbitpos = sevCaps->cbitpos;
+        sev->common.haveCbitpos = true;
     }
 
-    if (!sev->haveReducedPhysBits) {
-        sev->reduced_phys_bits = sevCaps->reduced_phys_bits;
-        sev->haveReducedPhysBits = true;
+    if (!sev->common.haveReducedPhysBits) {
+        sev->common.reduced_phys_bits = sevCaps->reduced_phys_bits;
+        sev->common.haveReducedPhysBits = true;
     }
 
     return 0;
@@ -6979,11 +6979,24 @@ qemuProcessPrepareDomain(virQEMUDriver *driver,
     for (i = 0; i < vm->def->nshmems; i++)
         qemuDomainPrepareShmemChardev(vm->def->shmems[i]);
 
-    if (vm->def->sec &&
-        vm->def->sec->sectype == VIR_DOMAIN_LAUNCH_SECURITY_SEV) {
-        VIR_DEBUG("Updating SEV platform info");
-        if (qemuProcessUpdateSEVInfo(vm) < 0)
+    if (vm->def->sec) {
+        switch (vm->def->sec->sectype) {
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+            VIR_DEBUG("Updating SEV platform info");
+            if (qemuProcessUpdateSEVInfo(vm) < 0)
+                return -1;
+            break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+            break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_CVM:
+        case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+        case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+            virReportEnumRangeError(virDomainLaunchSecurity, vm->def->sec->sectype);
             return -1;
+        }
     }
 
     return 0;
@@ -7054,9 +7067,11 @@ qemuProcessPrepareLaunchSecurityGuestInput(virDomainObj *vm)
     if (!sec)
         return 0;
 
-    switch ((virDomainLaunchSecurity) sec->sectype) {
+    switch (sec->sectype) {
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
         return qemuProcessPrepareSEVGuestInput(vm);
+    case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+        break;
     case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
         return 0;
     case VIR_DOMAIN_LAUNCH_SECURITY_PV:
@@ -8636,9 +8651,9 @@ qemuProcessKill(virDomainObj *vm, unsigned int flags)
     }
 
     /* Request an extra delay of two seconds per current nhostdevs
-     * to be safe against stalls by the kernel freeing up the resources 
-     * At the same time, Calculate the extra waiting delay required by the 
-     * VM specifications. The unpin time during device passthrough is 
+     * to be safe against stalls by the kernel freeing up the resources
+     * At the same time, Calculate the extra waiting delay required by the
+     * VM specifications. The unpin time during device passthrough is
      * related to the momory */
     extraWaitingTime = vm->def->nhostdevs * 2;
     if (vm->def->nhostdevs > 0) {
diff --git a/src/qemu/qemu_validate.c b/src/qemu/qemu_validate.c
index e3ed00d9b02af12fbd27351c9122cac4cba36463..001cd2c800ed5caafedddd6ea8cfc63b976c21cc 100644
--- a/src/qemu/qemu_validate.c
+++ b/src/qemu/qemu_validate.c
@@ -1201,7 +1201,7 @@ qemuValidateDomainDef(const virDomainDef *def,
         def->os.arch == VIR_ARCH_AARCH64 &&
         (def->os.firmware != VIR_DOMAIN_OS_DEF_FIRMWARE_EFI &&
          !virDomainDefHasOldStyleUEFI(def))) {
-        if (!isCvm || def->os.firmware != VIR_DOMAIN_OS_DEF_FIRMWARE_NONE) { 
+        if (!isCvm || def->os.firmware != VIR_DOMAIN_OS_DEF_FIRMWARE_NONE) {
             virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                            _("ACPI requires UEFI on this architecture"));
             return -1;
@@ -1297,7 +1297,7 @@ qemuValidateDomainDef(const virDomainDef *def,
         return -1;
 
     if (def->sec) {
-        switch ((virDomainLaunchSecurity) def->sec->sectype) {
+        switch (def->sec->sectype) {
         case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
             if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST)) {
                 virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
@@ -1305,13 +1305,22 @@ qemuValidateDomainDef(const virDomainDef *def,
                 return -1;
             }
 
-            if (def->sec->data.sev.kernel_hashes != VIR_TRISTATE_BOOL_ABSENT &&
+            if (def->sec->data.sev.common.kernel_hashes != VIR_TRISTATE_BOOL_ABSENT &&
                 !virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_GUEST_KERNEL_HASHES)) {
                 virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                                _("SEV measured direct kernel boot is not supported with this QEMU binary"));
                 return -1;
             }
             break;
+
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+            if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_SEV_SNP_GUEST)) {
+                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                               _("SEV SNP launch security is not supported with this QEMU binary"));
+                return -1;
+            }
+            break;
+
         case VIR_DOMAIN_LAUNCH_SECURITY_PV:
             if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_MACHINE_CONFIDENTAL_GUEST_SUPPORT) ||
                 !virQEMUCapsGet(qemuCaps, QEMU_CAPS_S390_PV_GUEST)) {
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 96aebfce5b0c69cf23d086d8cc2ded49ea6e9453..e80af07565a88174ae421ff613a01aa2703498ac 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1977,10 +1977,23 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
             rc = -1;
     }
 
-    if (def->sec &&
-        def->sec->sectype == VIR_DOMAIN_LAUNCH_SECURITY_SEV) {
-        if (virSecurityDACRestoreSEVLabel(mgr, def) < 0)
-            rc = -1;
+    if (def->sec) {
+        switch (def->sec->sectype) {
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+            if (virSecurityDACRestoreSEVLabel(mgr, def) < 0)
+                rc = -1;
+            break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+            break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            break;
+	case VIR_DOMAIN_LAUNCH_SECURITY_CVM:
+        case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+        case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+            virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
+            return -1;
+        }
     }
 
     for (i = 0; i < def->nsysinfo; i++) {
@@ -2201,10 +2214,23 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
             return -1;
     }
 
-    if (def->sec &&
-        def->sec->sectype == VIR_DOMAIN_LAUNCH_SECURITY_SEV) {
-        if (virSecurityDACSetSEVLabel(mgr, def) < 0)
+    if (def->sec) {
+        switch (def->sec->sectype) {
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+        case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+            if (virSecurityDACSetSEVLabel(mgr, def) < 0)
+                return -1;
+            break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+            break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_CCA:
+            break;
+        case VIR_DOMAIN_LAUNCH_SECURITY_CVM:
+        case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+        case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+            virReportEnumRangeError(virDomainLaunchSecurity, def->sec->sectype);
             return -1;
+        }
     }
 
     if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
diff --git a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
index 2d3b821acbb6fe05eca23f564c1b8784346acb6f..d83d394ba77f81798fd77c805d8846219bf5974e 100644
--- a/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
+++ b/tests/qemufirmwaredata/out/usr/share/qemu/firmware/60-edk2-ovmf-x64-amdsev.json
@@ -21,6 +21,7 @@
     "features": [
         "amd-sev",
         "amd-sev-es",
+        "amd-sev-snp",
         "verbose-dynamic"
     ]
 }
diff --git a/tests/qemumonitorjsontest.c b/tests/qemumonitorjsontest.c
index 45cee237981973379361e1d6b6f49a03fe1da3a0..66d0c127ca3cda07e97cf6050c80d8d3605b7101 100644
--- a/tests/qemumonitorjsontest.c
+++ b/tests/qemumonitorjsontest.c
@@ -2730,10 +2730,7 @@ testQemuMonitorJSONGetSEVInfo(const void *opaque)
     const testGenericData *data = opaque;
     virDomainXMLOption *xmlopt = data->xmlopt;
     g_autoptr(qemuMonitorTest) test = NULL;
-    unsigned int apiMajor = 0;
-    unsigned int apiMinor = 0;
-    unsigned int buildID = 0;
-    unsigned int policy = 0;
+    qemuMonitorSEVInfo info = { };
 
     if (!(test = qemuMonitorTestNewSchema(xmlopt, data->schema)))
         return -1;
@@ -2753,16 +2750,70 @@ testQemuMonitorJSONGetSEVInfo(const void *opaque)
                                "}") < 0)
         return -1;
 
-    if (qemuMonitorGetSEVInfo(qemuMonitorTestGetMonitor(test),
-                              &apiMajor, &apiMinor, &buildID, &policy) < 0)
+    if (qemuMonitorGetSEVInfo(qemuMonitorTestGetMonitor(test), &info) < 0)
         return -1;
 
-    if (apiMajor != 1 || apiMinor != 8 || buildID != 834 || policy != 3) {
+    if (info.apiMajor != 1 || info.apiMinor != 8 || info.buildID != 834 ||
+        info.type != QEMU_MONITOR_SEV_GUEST_TYPE_SEV ||
+        info.data.sev.policy != 3 || info.data.sev.handle != 0) {
         virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
                        "Unexpected SEV info values");
         return -1;
     }
 
+    if (qemuMonitorTestAddItem(test, "query-sev",
+                               "{"
+                               "    \"return\": {"
+                               "        \"enabled\": true,"
+                               "        \"api-minor\": 55,"
+                               "        \"handle\": 1,"
+                               "        \"state\": \"running\","
+                               "        \"api-major\": 1,"
+                               "        \"sev-type\": \"sev\","
+                               "        \"build-id\": 21,"
+                               "        \"policy\": 1"
+                               "    },"
+                               "    \"id\": \"libvirt-16\""
+                               "}") < 0)
+        return -1;
+
+    if (qemuMonitorGetSEVInfo(qemuMonitorTestGetMonitor(test), &info) < 0)
+        return -1;
+
+    if (info.apiMajor != 1 || info.apiMinor != 55 || info.buildID != 21 ||
+        info.type != QEMU_MONITOR_SEV_GUEST_TYPE_SEV ||
+        info.data.sev.policy != 1 || info.data.sev.handle != 1) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       "Unexpected SEV info values");
+        return -1;
+    }
+
+    if (qemuMonitorTestAddItem(test, "query-sev",
+                               "{"
+                               "    \"return\": {"
+                               "        \"enabled\": true,"
+                               "        \"api-minor\": 55,"
+                               "        \"state\": \"running\","
+                               "        \"api-major\": 1,"
+                               "        \"sev-type\": \"sev-snp\","
+                               "        \"build-id\": 21,"
+                               "        \"snp-policy\": 196608"
+                               "    },"
+                               "    \"id\": \"libvirt-16\""
+                               "}") < 0)
+        return -1;
+
+    if (qemuMonitorGetSEVInfo(qemuMonitorTestGetMonitor(test), &info) < 0)
+        return -1;
+
+    if (info.apiMajor != 1 || info.apiMinor != 55 || info.buildID != 21 ||
+        info.type != QEMU_MONITOR_SEV_GUEST_TYPE_SEV_SNP ||
+        info.data.sev_snp.snp_policy != 0x30000) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       "Unexpected SEV SNP info values");
+        return -1;
+    }
+
     return 0;
 }