QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.
QEMU has two operating modes:
QEMU can run without an host kernel driver and yet gives acceptable performance.
For system emulation, the following hardware targets are supported:
For user emulation, x86, PowerPC, ARM, 32-bit MIPS, Sparc32/64, ColdFire(m68k), CRISv32 and MicroBlaze CPUs are supported.
If you want to compile QEMU yourself, see section 6. Compilation from the sources.
If a precompiled package is available for your distribution - you just have to install it. Otherwise, see section 6. Compilation from the sources.
Download the experimental binary installer at http://www.free.oszoo.org/@/download.html.
Download the experimental binary installer at http://www.free.oszoo.org/@/download.html.
The QEMU PC System emulator simulates the following peripherals:
SMP is supported with up to 255 CPUs.
Note that adlib, gus and cs4231a are only available when QEMU was configured with --audio-card-list option containing the name(s) of required card(s).
QEMU uses the PC BIOS from the Bochs project and the Plex86/Bochs LGPL VGA BIOS.
QEMU uses YM3812 emulation by Tatsuyuki Satoh.
QEMU uses GUS emulation(GUSEMU32 http://www.deinmeister.de/gusemu/) by Tibor "TS" Schütz.
CS4231A is the chip used in Windows Sound System and GUSMAX products
Download and uncompress the linux image (`linux.img') and type:
qemu linux.img
Linux should boot and give you a prompt.
usage: qemu [options] [disk_image]
disk_image is a raw hard disk image for IDE hard disk 0. Some targets do not need a disk image.
During the graphical emulation, you can use the following keys:
In the virtual consoles, you can use Ctrl-Up, Ctrl-Down, Ctrl-PageUp and Ctrl-PageDown to move in the back log.
During emulation, if you are using the `-nographic' option, use Ctrl-a h to get terminal commands:
The QEMU monitor is used to give complex commands to the QEMU emulator. You can use it to:
The following commands are available:
The monitor understands integers expressions for every integer argument. You can use register names to get the value of specifics CPU registers by prefixing them with $.
Since version 0.6.1, QEMU supports many disk image formats, including growable disk images (their size increase as non empty sectors are written), compressed and encrypted disk images. Version 0.8.3 added the new qcow2 disk image format which is essential to support VM snapshots.
You can create a disk image with the command:
qemu-img create myimage.img mysize
where myimage.img is the disk image filename and mysize is its
size in kilobytes. You can add an M suffix to give the size in
megabytes and a G suffix for gigabytes.
See section 3.6.4 qemu-img Invocation for more information.
If you use the option `-snapshot', all disk images are
considered as read only. When sectors in written, they are written in
a temporary file created in `/tmp'. You can however force the
write back to the raw disk images by using the commit monitor
command (or C-a s in the serial console).
VM snapshots are snapshots of the complete virtual machine including
CPU state, RAM, device state and the content of all the writable
disks. In order to use VM snapshots, you must have at least one non
removable and writable block device using the qcow2 disk image
format. Normally this device is the first virtual hard drive.
Use the monitor command savevm to create a new VM snapshot or
replace an existing one. A human readable name can be assigned to each
snapshot in addition to its numerical ID.
Use loadvm to restore a VM snapshot and delvm to remove
a VM snapshot. info snapshots lists the available snapshots
with their associated information:
(qemu) info snapshots Snapshot devices: hda Snapshot list (from hda): ID TAG VM SIZE DATE VM CLOCK 1 start 41M 2006-08-06 12:38:02 00:00:14.954 2 40M 2006-08-06 12:43:29 00:00:18.633 3 msys 40M 2006-08-06 12:44:04 00:00:23.514
A VM snapshot is made of a VM state info (its size is shown in
info snapshots) and a snapshot of every writable disk image.
The VM state info is stored in the first qcow2 non removable
and writable block device. The disk image snapshots are stored in
every disk image. The size of a snapshot in a disk image is difficult
to evaluate and is not shown by info snapshots because the
associated disk sectors are shared among all the snapshots to save
disk space (otherwise each snapshot would need a full copy of all the
disk images).
When using the (unrelated) -snapshot option
(section 3.6.2 Snapshot mode), you can always make VM snapshots,
but they are deleted as soon as you exit QEMU.
VM snapshots currently have the following known limitations:
qemu-img Invocationusage: qemu-img command [command options]
The following commands are supported:
Command parameters:
output_base_image should have the same
content as the input's base image, however the path, image format, etc may
differ
raw
qemu-img info to know the real size used by the
image or ls -ls on Unix/Linux.
qcow2
qcow
cow
vmdk
cloop
k or K
(kilobyte, 1024) M (megabyte, 1024k) and G (gigabyte, 1024M)
and T (terabyte, 1024G) are supported. b is ignored.
-o ? for an overview of the options supported
by the used format
Parameters to snapshot subcommand:
Command description:
commit monitor command.
The size can also be specified using the size option with -o,
it doesn't need to be specified separately in this case.
-c
option) or use any format specific options like encryption (-o option).
Only the formats qcow and qcow2 support encryption or compression. The
compression is read-only. It means that if a compressed sector is
rewritten, then it is rewritten as uncompressed data.
Encryption uses the AES format which is very secure (128 bit keys). Use
a long password (16 characters) to get maximum protection.
Image conversion is also useful to get smaller image when using a
growable format such as qcow or cow: the empty sectors
are detected and suppressed from the destination image.
qemu-nbd Invocationusage: qemu-nbd [OPTION]... filename
Export Qemu disk image using NBD protocol.
In addition to disk image files, QEMU can directly access host devices. We describe here the usage for QEMU version >= 0.8.3.
On Linux, you can directly use the host device filename instead of a disk image filename provided you have enough privileges to access it. For example, use `/dev/cdrom' to access to the CDROM or `/dev/fd0' for the floppy.
CD
Floppy
Hard disks
CD
change or eject monitor commands to
change or eject media.
Hard disks
`/dev/cdrom' is an alias to the first CDROM.
Currently there is no specific code to handle removable media, so it
is better to use the change or eject monitor commands to
change or eject media.
QEMU can automatically create a virtual FAT disk image from a directory tree. In order to use it, just type:
qemu linux.img -hdb fat:/my_directory
Then you access access to all the files in the `/my_directory' directory without having to copy them in a disk image or to export them via SAMBA or NFS. The default access is read-only.
Floppies can be emulated with the :floppy: option:
qemu linux.img -fda fat:floppy:/my_directory
A read/write support is available for testing (beta stage) with the
:rw: option:
qemu linux.img -fda fat:floppy:rw:/my_directory
What you should never do:
QEMU can access directly to block device exported using the Network Block Device protocol.
qemu linux.img -hdb nbd:my_nbd_server.mydomain.org:1024
If the NBD server is located on the same host, you can use an unix socket instead of an inet socket:
qemu linux.img -hdb nbd:unix:/tmp/my_socket
In this case, the block device must be exported using qemu-nbd:
qemu-nbd --socket=/tmp/my_socket my_disk.qcow2
The use of qemu-nbd allows to share a disk between several guests:
qemu-nbd --socket=/tmp/my_socket --share=2 my_disk.qcow2
and then you can use it with two guests:
qemu linux1.img -hdb nbd:unix:/tmp/my_socket qemu linux2.img -hdb nbd:unix:/tmp/my_socket
QEMU can simulate several network cards (PCI or ISA cards on the PC target) and can connect them to an arbitrary number of Virtual Local Area Networks (VLANs). Host TAP devices can be connected to any QEMU VLAN. VLAN can be connected between separate instances of QEMU to simulate large networks. For simpler usage, a non privileged user mode network stack can replace the TAP device to have a basic network connection.
QEMU simulates several VLANs. A VLAN can be symbolised as a virtual connection between several network devices. These devices can be for example QEMU virtual Ethernet cards or virtual Host ethernet devices (TAP devices).
This is the standard way to connect QEMU to a real network. QEMU adds
a virtual network device on your host (called tapN), and you
can then configure it as if it was a real ethernet card.
As an example, you can download the `linux-test-xxx.tar.gz'
archive and copy the script `qemu-ifup' in `/etc' and
configure properly sudo so that the command ifconfig
contained in `qemu-ifup' can be executed as root. You must verify
that your host kernel supports the TAP network interfaces: the
device `/dev/net/tun' must be present.
See section 3.3 Invocation to have examples of command lines using the TAP network interfaces.
There is a virtual ethernet driver for Windows 2000/XP systems, called TAP-Win32. But it is not included in standard QEMU for Windows, so you will need to get it separately. It is part of OpenVPN package, so download OpenVPN from : http://openvpn.net/.
By using the option `-net user' (default configuration if no `-net' option is specified), QEMU uses a completely user mode network stack (you don't need root privilege to use the virtual network). The virtual network configuration is the following:
QEMU VLAN <------> Firewall/DHCP server <-----> Internet
| (10.0.2.2)
|
----> DNS server (10.0.2.3)
|
----> SMB server (10.0.2.4)
The QEMU VM behaves as if it was behind a firewall which blocks all incoming connections. You can use a DHCP client to automatically configure the network in the QEMU VM. The DHCP server assign addresses to the hosts starting from 10.0.2.15.
In order to check that the user mode network is working, you can ping the address 10.0.2.2 and verify that you got an address in the range 10.0.2.x from the QEMU virtual DHCP server.
Note that ping is not supported reliably to the internet as it
would require root privileges. It means you can only ping the local
router (10.0.2.2).
When using the built-in TFTP server, the router is also the TFTP server.
When using the `-redir' option, TCP or UDP connections can be redirected from the host to the guest. It allows for example to redirect X11, telnet or SSH connections.
Using the `-net socket' option, it is possible to make VLANs that span several QEMU instances. See section 3.3 Invocation to have a basic example.
This section explains how to launch a Linux kernel inside QEMU without having to make a full bootable image. It is very useful for fast Linux kernel testing.
The syntax is:
qemu -kernel arch/i386/boot/bzImage -hda root-2.4.20.img -append "root=/dev/hda"
Use `-kernel' to provide the Linux kernel image and `-append' to give the kernel command line arguments. The `-initrd' option can be used to provide an INITRD image.
When using the direct Linux boot, a disk image for the first hard disk `hda' is required because its boot sector is used to launch the Linux kernel.
If you do not need graphical output, you can disable it and redirect the virtual serial port and the QEMU monitor to the console with the `-nographic' option. The typical command line is:
qemu -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \
-append "root=/dev/hda console=ttyS0" -nographic
Use Ctrl-a c to switch between the serial console and the monitor (see section 3.4 Keys).
QEMU emulates a PCI UHCI USB controller. You can virtually plug virtual USB devices or real host USB devices (experimental, works only on Linux hosts). Qemu will automatically create and connect virtual USB hubs as necessary to connect multiple USB devices.
USB devices can be connected with the `-usbdevice' commandline option
or the usb_add monitor command. Available devices are:
mouse
tablet
disk:file
host:bus.addr
host:vendor_id:product_id
wacom-tablet
tablet
above but it can be used with the tslib library because in addition to touch
coordinates it reports touch pressure.
keyboard
serial:[vendorid=vendor_id][,product_id=product_id]:dev
-serial option. The vendorid and productid options can be
used to override the default 0403:6001. For instance,
usb_add serial:productid=FA00:tcp:192.168.0.2:4444will connect to tcp port 4444 of ip 192.168.0.2, and plug that to the virtual serial converter, faking a Matrix Orbital LCD Display (USB ID 0403:FA00).
braille
net:options
-net nic,options (see description).
For instance, user-mode networking can be used with
qemu [...OPTIONS...] -net user,vlan=0 -usbdevice net:vlan=0Currently this cannot be used in machines that support PCI NICs.
bt[:hci-type]
-bt hci,vlan=0.
This USB device implements the USB Transport Layer of HCI. Example
usage:
qemu [...OPTIONS...] -usbdevice bt:hci,vlan=3 -bt device:keyboard,vlan=3
WARNING: this is an experimental feature. QEMU will slow down when using it. USB devices requiring real time streaming (i.e. USB Video Cameras) are not supported yet.
ls /proc/bus/usb 001 devices drivers
chown -R myuid /proc/bus/usb
info usbhost
Device 1.2, speed 480 Mb/s
Class 00: USB device 1234:5678, USB DISK
You should see the list of the devices you can use (Never try to use
hubs, it won't work).
usb_add host:1234:5678Normally the guest OS should report that a new USB device is plugged. You can use the option `-usbdevice' to do the same.
When relaunching QEMU, you may have to unplug and plug again the USB device to make it work again (this is a bug).
The VNC server capability provides access to the graphical console of the guest VM across the network. This has a number of security considerations depending on the deployment scenarios.
The simplest VNC server setup does not include any form of authentication. For this setup it is recommended to restrict it to listen on a UNIX domain socket only. For example
qemu [...OPTIONS...] -vnc unix:/home/joebloggs/.qemu-myvm-vnc
This ensures that only users on local box with read/write access to that path can access the VNC server. To securely access the VNC server from a remote machine, a combination of netcat+ssh can be used to provide a secure tunnel.
The VNC protocol has limited support for password based authentication. Since
the protocol limits passwords to 8 characters it should not be considered
to provide high security. The password can be fairly easily brute-forced by
a client making repeat connections. For this reason, a VNC server using password
authentication should be restricted to only listen on the loopback interface
or UNIX domain sockets. Password authentication is requested with the password
option, and then once QEMU is running the password is set with the monitor. Until
the monitor is used to set the password all clients will be rejected.
qemu [...OPTIONS...] -vnc :1,password -monitor stdio (qemu) change vnc password Password: ******** (qemu)
The QEMU VNC server also implements the VeNCrypt extension allowing use of TLS for encryption of the session, and x509 certificates for authentication. The use of x509 certificates is strongly recommended, because TLS on its own is susceptible to man-in-the-middle attacks. Basic x509 certificate support provides a secure session, but no authentication. This allows any client to connect, and provides an encrypted session.
qemu [...OPTIONS...] -vnc :1,tls,x509=/etc/pki/qemu -monitor stdio
In the above example /etc/pki/qemu should contain at least three files,
ca-cert.pem, server-cert.pem and server-key.pem. Unprivileged
users will want to use a private directory, for example $HOME/.pki/qemu.
NB the server-key.pem file should be protected with file mode 0600 to
only be readable by the user owning it.
Certificates can also provide a means to authenticate the client connecting. The server will request that the client provide a certificate, which it will then validate against the CA certificate. This is a good choice if deploying in an environment with a private internal certificate authority.
qemu [...OPTIONS...] -vnc :1,tls,x509verify=/etc/pki/qemu -monitor stdio
Finally, the previous method can be combined with VNC password authentication to provide two layers of authentication for clients.
qemu [...OPTIONS...] -vnc :1,password,tls,x509verify=/etc/pki/qemu -monitor stdio (qemu) change vnc password Password: ******** (qemu)
The SASL authentication method is a VNC extension, that provides an easily extendable, pluggable authentication method. This allows for integration with a wide range of authentication mechanisms, such as PAM, GSSAPI/Kerberos, LDAP, SQL databases, one-time keys and more. The strength of the authentication depends on the exact mechanism configured. If the chosen mechanism also provides a SSF layer, then it will encrypt the datastream as well.
Refer to the later docs on how to choose the exact SASL mechanism used for authentication, but assuming use of one supporting SSF, then QEMU can be launched with:
qemu [...OPTIONS...] -vnc :1,sasl -monitor stdio
If the desired SASL authentication mechanism does not supported SSF layers, then it is strongly advised to run it in combination with TLS and x509 certificates. This provides securely encrypted data stream, avoiding risk of compromising of the security credentials. This can be enabled, by combining the 'sasl' option with the aforementioned TLS + x509 options:
qemu [...OPTIONS...] -vnc :1,tls,x509,sasl -monitor stdio
The GNU TLS packages provides a command called certtool which can
be used to generate certificates and keys in PEM format. At a minimum it
is neccessary to setup a certificate authority, and issue certificates to
each server. If using certificates for authentication, then each client
will also need to be issued a certificate. The recommendation is for the
server to keep its certificates in either /etc/pki/qemu or for
unprivileged users in $HOME/.pki/qemu.
This step only needs to be performed once per organization / organizational unit. First the CA needs a private key. This key must be kept VERY secret and secure. If this key is compromised the entire trust chain of the certificates issued with it is lost.
# certtool --generate-privkey > ca-key.pem
A CA needs to have a public certificate. For simplicity it can be a self-signed certificate, or one issue by a commercial certificate issuing authority. To generate a self-signed certificate requires one core piece of information, the name of the organization.
# cat > ca.info <<EOF
cn = Name of your organization
ca
cert_signing_key
EOF
# certtool --generate-self-signed \
--load-privkey ca-key.pem
--template ca.info \
--outfile ca-cert.pem
The ca-cert.pem file should be copied to all servers and clients wishing to utilize
TLS support in the VNC server. The ca-key.pem must not be disclosed/copied at all.
Each server (or host) needs to be issued with a key and certificate. When connecting the certificate is sent to the client which validates it against the CA certificate. The core piece of information for a server certificate is the hostname. This should be the fully qualified hostname that the client will connect with, since the client will typically also verify the hostname in the certificate. On the host holding the secure CA private key:
# cat > server.info <<EOF
organization = Name of your organization
cn = server.foo.example.com
tls_www_server
encryption_key
signing_key
EOF
# certtool --generate-privkey > server-key.pem
# certtool --generate-certificate \
--load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--load-privkey server server-key.pem \
--template server.info \
--outfile server-cert.pem
The server-key.pem and server-cert.pem files should now be securely copied
to the server for which they were generated. The server-key.pem is security
sensitive and should be kept protected with file mode 0600 to prevent disclosure.
If the QEMU VNC server is to use the x509verify option to validate client
certificates as its authentication mechanism, each client also needs to be issued
a certificate. The client certificate contains enough metadata to uniquely identify
the client, typically organization, state, city, building, etc. On the host holding
the secure CA private key:
# cat > client.info <<EOF
country = GB
state = London
locality = London
organiazation = Name of your organization
cn = client.foo.example.com
tls_www_client
encryption_key
signing_key
EOF
# certtool --generate-privkey > client-key.pem
# certtool --generate-certificate \
--load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--load-privkey client-key.pem \
--template client.info \
--outfile client-cert.pem
The client-key.pem and client-cert.pem files should now be securely
copied to the client for which they were generated.
The following documentation assumes use of the Cyrus SASL implementation on a Linux host, but the principals should apply to any other SASL impl. When SASL is enabled, the mechanism configuration will be loaded from system default SASL service config /etc/sasl2/qemu.conf. If running QEMU as an unprivileged user, an environment variable SASL_CONF_PATH can be used to make it search alternate locations for the service config.
The default configuration might contain
mech_list: digest-md5 sasldb_path: /etc/qemu/passwd.db
This says to use the 'Digest MD5' mechanism, which is similar to the HTTP Digest-MD5 mechanism. The list of valid usernames & passwords is maintained in the /etc/qemu/passwd.db file, and can be updated using the saslpasswd2 command. While this mechanism is easy to configure and use, it is not considered secure by modern standards, so only suitable for developers / ad-hoc testing.
A more serious deployment might use Kerberos, which is done with the 'gssapi' mechanism
mech_list: gssapi keytab: /etc/qemu/krb5.tab
For this to work the administrator of your KDC must generate a Kerberos principal for the server, with a name of 'qemu/somehost.example.com@EXAMPLE.COM' replacing 'somehost.example.com' with the fully qualified host name of the machine running QEMU, and 'EXAMPLE.COM' with the Keberos Realm.
Other configurations will be left as an exercise for the reader. It should be noted that only Digest-MD5 and GSSAPI provides a SSF layer for data encryption. For all other mechanisms, VNC should always be configured to use TLS and x509 certificates to protect security credentials from snooping.
QEMU has a primitive support to work with gdb, so that you can do 'Ctrl-C' while the virtual machine is running and inspect its state.
In order to use gdb, launch qemu with the '-s' option. It will wait for a gdb connection:
> qemu -s -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \
-append "root=/dev/hda"
Connected to host network interface: tun0
Waiting gdb connection on port 1234
Then launch gdb on the 'vmlinux' executable:
> gdb vmlinux
In gdb, connect to QEMU:
(gdb) target remote localhost:1234
Then you can use gdb normally. For example, type 'c' to launch the kernel:
(gdb) c
Here are some useful tips in order to use gdb on system code:
info reg to display all the CPU registers.
x/10i $eip to display the code at the PC position.
set architecture i8086 to dump 16 bit code. Then use
x/10i $cs*16+$eip to dump the code at the PC position.
Advanced debugging options:
The default single stepping behavior is step with the IRQs and timer service routines off. It is set this way because when gdb executes a single step it expects to advance beyond the current instruction. With the IRQs and and timer service routines on, a single step might jump into the one of the interrupt or exception vectors instead of executing the current instruction. This means you may hit the same breakpoint a number of times before executing the instruction gdb wants to have executed. Because there are rare circumstances where you want to single step into an interrupt vector the behavior can be controlled from GDB. There are three commands you can query and set the single step behavior:
maintenance packet qqemu.sstepbits
(gdb) maintenance packet qqemu.sstepbits sending: "qqemu.sstepbits" received: "ENABLE=1,NOIRQ=2,NOTIMER=4"
maintenance packet qqemu.sstep
(gdb) maintenance packet qqemu.sstep sending: "qqemu.sstep" received: "0x7"
maintenance packet Qqemu.sstep=HEX_VALUE
(gdb) maintenance packet Qqemu.sstep=0x5 sending: "qemu.sstep=0x5" received: "OK"
To have access to SVGA graphic modes under X11, use the vesa or
the cirrus X11 driver. For optimal performances, use 16 bit
color depth in the guest and the host OS.
When using a 2.6 guest Linux kernel, you should add the option
clock=pit on the kernel command line because the 2.6 Linux
kernels make very strict real time clock checks by default that QEMU
cannot simulate exactly.
When using a 2.6 guest Linux kernel, verify that the 4G/4G patch is not activated because QEMU is slower with this patch. The QEMU Accelerator Module is also much slower in this case. Earlier Fedora Core 3 Linux kernel (< 2.6.9-1.724_FC3) were known to incorporate this patch by default. Newer kernels don't have it.
If you have a slow host, using Windows 95 is better as it gives the best speed. Windows 2000 is also a good choice.
QEMU emulates a Cirrus Logic GD5446 Video card. All Windows versions starting from Windows 95 should recognize and use this graphic card. For optimal performances, use 16 bit color depth in the guest and the host OS.
If you are using Windows XP as guest OS and if you want to use high resolution modes which the Cirrus Logic BIOS does not support (i.e. >= 1280x1024x16), then you should use the VESA VBE virtual graphic card (option `-std-vga').
Windows 9x does not correctly use the CPU HLT instruction. The result is that it takes host CPU cycles even when idle. You can install the utility from http://www.user.cityline.ru/~maxamn/amnhltm.zip to solve this problem. Note that no such tool is needed for NT, 2000 or XP.
Windows 2000 has a bug which gives a disk full problem during its installation. When installing it, use the `-win2k-hack' QEMU option to enable a specific workaround. After Windows 2000 is installed, you no longer need this option (this option slows down the IDE transfers).
Windows 2000 cannot automatically shutdown in QEMU although Windows 98 can. It comes from the fact that Windows 2000 does not automatically use the APM driver provided by the BIOS.
In order to correct that, do the following (thanks to Struan Bartlett): go to the Control Panel => Add/Remove Hardware & Next => Add/Troubleshoot a device => Add a new device & Next => No, select the hardware from a list & Next => NT Apm/Legacy Support & Next => Next (again) a few times. Now the driver is installed and Windows 2000 now correctly instructs QEMU to shutdown at the appropriate moment.
See section 3.3 Invocation about the help of the option `-smb'.
Some releases of Windows XP install correctly but give a security error when booting:
A problem is preventing Windows from accurately checking the license for this computer. Error code: 0x800703e6.
The workaround is to install a service pack for XP after a boot in safe mode. Then reboot, and the problem should go away. Since there is no network while in safe mode, its recommended to download the full installation of SP1 or SP2 and transfer that via an ISO or using the vvfat block device ("-hdb fat:directory_which_holds_the_SP").
DOS does not correctly use the CPU HLT instruction. The result is that it takes host CPU cycles even when idle. You can install the utility from http://www.vmware.com/software/dosidle210.zip to solve this problem.
QEMU is a generic emulator and it emulates many non PC machines. Most of the options are similar to the PC emulator. The differences are mentioned in the following sections.
Use the executable `qemu-system-ppc' to simulate a complete PREP or PowerMac PowerPC system.
QEMU emulates the following PowerMac peripherals:
QEMU emulates the following PREP peripherals:
QEMU uses the Open Hack'Ware Open Firmware Compatible BIOS available at http://perso.magic.fr/l_indien/OpenHackWare/index.htm.
Since version 0.9.1, QEMU uses OpenBIOS http://www.openbios.org/ for the g3beige and mac99 PowerMac machines. OpenBIOS is a free (GPL v2) portable firmware implementation. The goal is to implement a 100% IEEE 1275-1994 (referred to as Open Firmware) compliant firmware.
The following options are specific to the PowerPC emulation:
qemu-system-ppc -prom-env 'auto-boot?=false' \ -prom-env 'boot-device=hd:2,\yaboot' \ -prom-env 'boot-args=conf=hd:2,\yaboot.conf'These variables are not used by Open Hack'Ware.
More information is available at http://perso.magic.fr/l_indien/qemu-ppc/.
Use the executable `qemu-system-sparc' to simulate the following Sun4m architecture machines:
The emulation is somewhat complete. SMP up to 16 CPUs is supported, but Linux limits the number of usable CPUs to 4.
It's also possible to simulate a SPARCstation 2 (sun4c architecture), SPARCserver 1000, or SPARCcenter 2000 (sun4d architecture), but these emulators are not usable yet.
QEMU emulates the following sun4m/sun4c/sun4d peripherals:
The number of peripherals is fixed in the architecture. Maximum memory size depends on the machine type, for SS-5 it is 256MB and for others 2047MB.
Since version 0.8.2, QEMU uses OpenBIOS http://www.openbios.org/. OpenBIOS is a free (GPL v2) portable firmware implementation. The goal is to implement a 100% IEEE 1275-1994 (referred to as Open Firmware) compliant firmware.
A sample Linux 2.6 series kernel and ram disk image are available on the QEMU web site. There are still issues with NetBSD and OpenBSD, but some kernel versions work. Please note that currently Solaris kernels don't work probably due to interface issues between OpenBIOS and Solaris.
The following options are specific to the Sparc32 emulation:
qemu-system-sparc -prom-env 'auto-boot?=false' \ -prom-env 'boot-device=sd(0,2,0):d' -prom-env 'boot-args=linux single'
Use the executable `qemu-system-sparc64' to simulate a Sun4u (UltraSPARC PC-like machine), Sun4v (T1 PC-like machine), or generic Niagara (T1) machine. The emulator is not usable for anything yet, but it can launch some kernels.
QEMU emulates the following peripherals:
The following options are specific to the Sparc64 emulation:
qemu-system-sparc64 -prom-env 'auto-boot?=false'
Four executables cover simulation of 32 and 64-bit MIPS systems in both endian options, `qemu-system-mips', `qemu-system-mipsel' `qemu-system-mips64' and `qemu-system-mips64el'. Five different machine types are emulated:
The generic emulation is supported by Debian 'Etch' and is able to install Debian into a virtual disk image. The following devices are emulated:
The Malta emulation supports the following devices:
The ACER Pica emulation supports:
The mipssim pseudo board emulation provides an environment similiar to what the proprietary MIPS emulator uses for running Linux. It supports:
The MIPS Magnum R4000 emulation supports:
Use the executable `qemu-system-arm' to simulate a ARM machine. The ARM Integrator/CP board is emulated with the following devices:
The ARM Versatile baseboard is emulated with the following devices:
The ARM RealView Emulation baseboard is emulated with the following devices:
The XScale-based clamshell PDA models ("Spitz", "Akita", "Borzoi" and "Terrier") emulation includes the following peripherals:
The Palm Tungsten|E PDA (codename "Cheetah") emulation includes the following elements:
Nokia N800 and N810 internet tablets (known also as RX-34 and RX-44 / 48) emulation supports the following elements:
The Luminary Micro Stellaris LM3S811EVB emulation includes the following devices:
The Luminary Micro Stellaris LM3S6965EVB emulation includes the following devices:
The Freecom MusicPal internet radio emulation includes the following elements:
The Siemens SX1 models v1 and v2 (default) basic emulation. The emulaton includes the following elements:
The "Syborg" Symbian Virtual Platform base model includes the following elements:
A Linux 2.6 test image is available on the QEMU web site. More information is available in the QEMU mailing-list archive.
The following options are specific to the ARM emulation:
Use the executable `qemu-system-m68k' to simulate a ColdFire machine. The emulator is able to boot a uClinux kernel.
The M5208EVB emulation includes the following devices:
The AN5206 emulation includes the following devices:
The following options are specific to the ARM emulation:
The following OS are supported in user space emulation:
In order to launch a Linux process, QEMU needs the process executable itself and all the target (x86) dynamic libraries used by it.
qemu-i386 -L / /bin/ls
-L / tells that the x86 dynamic linker must be searched with a
`/' prefix.
qemu-i386 -L / qemu-i386 -L / /bin/ls
LD_LIBRARY_PATH is not set:
unset LD_LIBRARY_PATHThen you can launch the precompiled `ls' x86 executable:
qemu-i386 tests/i386/lsYou can look at `qemu-binfmt-conf.sh' so that QEMU is automatically launched by the Linux kernel when you try to launch x86 executables. It requires the
binfmt_misc module in the
Linux kernel.
qemu-i386 /usr/local/qemu-i386/bin/qemu-i386 \
/usr/local/qemu-i386/bin/ls-i386
qemu-i386 /usr/local/qemu-i386/bin/ls-i386
${HOME}/.wine directory is saved to ${HOME}/.wine.org.
qemu-i386 /usr/local/qemu-i386/wine/bin/wine \
/usr/local/qemu-i386/wine/c/Program\ Files/putty.exe
usage: qemu-i386 [-h] [-d] [-L path] [-s size] [-cpu model] [-g port] program [arguments...]
Debug options:
Environment variables:
qemu-arm is also capable of running ARM "Angel" semihosted ELF
binaries (as implemented by the arm-elf and arm-eabi Newlib/GDB
configurations), and arm-uclinux bFLT format binaries.
qemu-m68k is capable of running semihosted binaries using the BDM
(m5xxx-ram-hosted.ld) or m68k-sim (sim.ld) syscall interfaces, and
coldfire uClinux bFLT format binaries.
The binary format is detected automatically.
qemu-sparc can execute Sparc32 binaries (Sparc32 CPU, 32 bit ABI).
qemu-sparc32plus can execute Sparc32 and SPARC32PLUS binaries
(Sparc64 CPU, 32 bit ABI).
qemu-sparc64 can execute some Sparc64 (Sparc64 CPU, 64 bit ABI) and
SPARC32PLUS binaries (Sparc64 CPU, 32 bit ABI).
[1] If you're host commpage can be executed by qemu.
In order to launch a Mac OS X/Darwin process, QEMU needs the process executable itself and all the target dynamic libraries used by it. If you don't have the FAT libraries (you're running Mac OS X/ppc) you'll need to obtain it from a Mac OS X CD or compile them by hand.
qemu-i386 /bin/lsor to run the ppc version of the executable:
qemu-ppc /bin/ls
qemu-i386 -L /opt/x86_root/ /bin/ls
-L /opt/x86_root/ tells that the dynamic linker (dyld) path is in
`/opt/x86_root/usr/bin/dyld'.
usage: qemu-i386 [-h] [-d] [-L path] [-s size] program [arguments...]
Debug options:
In order to launch a BSD process, QEMU needs the process executable itself and all the target dynamic libraries used by it.
qemu-sparc64 /bin/ls
usage: qemu-sparc64 [-h] [-d] [-L path] [-s size] [-bsd type] program [arguments...]
Debug options:
First you must decompress the sources:
cd /tmp tar zxvf qemu-x.y.z.tar.gz cd qemu-x.y.z
Then you configure QEMU and build it (usually no options are needed):
./configure make
Then type as root user:
make install
to install QEMU in `/usr/local'.
./configure --enable-mingw32If necessary, you can change the cross-prefix according to the prefix chosen for the MinGW tools with --cross-prefix. You can also use --prefix to set the Win32 install path.
Note: Currently, Wine does not seem able to launch QEMU for Win32.
The Mac OS X patches are not fully merged in QEMU, so you should look at the QEMU mailing list archive to have all the necessary information.
Jump to:
This document was generated on 2 October 2009 using texi2html 1.56k.