Add HW_CPU_AMD_SEV trait

Add a trait reflecting a compute host's capability to offer AMD's
on-chip Secure Encrypted Virtualization functionality:

https://en.wikipedia.org/wiki/Zen_(microarchitecture)#Enhanced_security_and_virtualization_support
https://developer.amd.com/sev/

This will facilitate booting of security-sensitive VMs only on hosts
which offer additional security via SEV.  More details available here:

https://specs.openstack.org/openstack/nova-specs/specs/stein/approved/amd-sev-libvirt-support.html

Change-Id: I8ebfeac3cabbb64a7913f0b8193010a1b712382b
blueprint: amd-sev-libvirt-support

doc/source/reference/index.rst

@@ -2,6 +2,8 @@
 Reference
 =========
 
+.. contents:: :local:
+
 CUDA
 ----
 
@@ -56,3 +58,33 @@ the CUDA SDK 8.0 is capable of working with::
 For more information on CUDA, see the `Wikipedia article`_.
 
 .. _Wikipedia article: https://en.wikipedia.org/wiki/CUDA
+
+AMD SEV
+-------
+
+While data is typically encrypted today when stored on disk, it is
+stored in DRAM in the clear.  This can leave the data vulnerable to
+snooping by unauthorized administrators or software, or by hardware
+probing.  New non-volatile memory technology (NVDIMM) exacerbates this
+problem since an NVDIMM chip can be physically removed from a system
+with the data intact, similar to a hard drive.  Without encryption any
+stored information such as sensitive data, passwords, or secret keys
+can be easily compromised.
+
+`AMD's SEV (Secure Encrypted Virtualization)
+<https://developer.amd.com/sev/>`_ is a VM protection technology which
+transparently encrypts the memory of each VM with a unique key.  It
+can also calculate a signature of the memory contents, which can be
+sent to the VM's owner as an attestation that the memory was encrypted
+correctly by the firmware.  SEV is particularly applicable to cloud
+computing since it can reduce the amount of trust VMs need to place in
+the hypervisor and administrator of their host system.
+
+The ``os_traits.hw.cpu.amd.SEV`` trait can be used to indicate that a
+compute host contains support for SEV not only on-CPU, but also in all
+other layers of the hypervisor stack required in order to take
+advantage of this feature: the kernel, QEMU, and libvirt.  This trait
+can be specified as required by a flavor extra spec or image property
+``trait:HW_CPU_AMD_SEV=required`` in order to indicate that VMs with
+that flavor or image must only be booted on SEV-capable hosts with the
+SEV functionality enabled.

os_traits/hw/cpu/amd.py

@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+TRAITS = [
+    # ref: https://developer.amd.com/sev/
+    'SEV',
+]