diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 2e9c450606..51ca23aece 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -8222,7 +8222,7 @@ spec <https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf>`__
 
    <domain>
      ...
-     <launchSecurity type='sev'>
+     <launchSecurity type='sev' kernelHashes='yes'>
        <policy>0x0001</policy>
        <cbitpos>47</cbitpos>
        <reducedPhysBits>1</reducedPhysBits>
@@ -8232,6 +8232,11 @@ spec <https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf>`__
      ...
    </domain>
 
+``kernelHashes``
+   The optional ``kernelHashes`` attribute indicates whether the
+   hashes of the kernel, ramdisk and command line should be included
+   in the measurement done by the firmware. This is only valid if
+   using direct kernel boot. :since:`Since 8.0.0`
 ``cbitpos``
    The required ``cbitpos`` element provides the C-bit (aka encryption bit)
    location in guest page table entry. The value of ``cbitpos`` is hypervisor
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index ce5018f798..7fa5c2b8b5 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -499,6 +499,11 @@
     <attribute name="type">
       <value>sev</value>
     </attribute>
+    <optional>
+      <attribute name="kernelHashes">
+        <ref name="virYesNo"/>
+      </attribute>
+    </optional>
     <interleave>
       <optional>
         <element name="cbitpos">
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index e0c92816f1..716c6d2240 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -14804,6 +14804,10 @@ virDomainSEVDefParseXML(virDomainSEVDef *def,
     unsigned long policy;
     int rc;
 
+    if (virXMLPropTristateBool(ctxt->node, "kernelHashes", VIR_XML_PROP_NONE,
+                               &def->kernel_hashes) < 0)
+        return -1;
+
     if (virXPathULongHex("string(./policy)", ctxt, &policy) < 0) {
         virReportError(VIR_ERR_XML_ERROR, "%s",
                        _("failed to get launch security policy"));
@@ -27134,6 +27138,10 @@ virDomainSecDefFormat(virBuffer *buf, virDomainSecDef *sec)
     case VIR_DOMAIN_LAUNCH_SECURITY_SEV: {
         virDomainSEVDef *sev = &sec->data.sev;
 
+        if (sev->kernel_hashes != VIR_TRISTATE_BOOL_ABSENT)
+            virBufferAsprintf(&attrBuf, " kernelHashes='%s'",
+                              virTristateBoolTypeToString(sev->kernel_hashes));
+
         if (sev->haveCbitpos)
             virBufferAsprintf(&childBuf, "<cbitpos>%d</cbitpos>\n", sev->cbitpos);
 
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index afabcd1b4d..144ba4dd12 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -2714,6 +2714,7 @@ struct _virDomainSEVDef {
     unsigned int cbitpos;
     bool haveReducedPhysBits;
     unsigned int reduced_phys_bits;
+    virTristateBool kernel_hashes;
 };
 
 struct _virDomainSecDef {