Archipelago » qemu

\input texinfo @c -*- texinfo -*-

@c %**start of header

@setfilename qemu-doc.info

@settitle QEMU Emulator User Documentation

@exampleindent 0

@paragraphindent 0

@c %**end of header

@iftex

@titlepage

@sp 7

@center @titlefont{QEMU Emulator}

@sp 1

@center @titlefont{User Documentation}

@sp 3

@end titlepage

@end iftex

@ifnottex

@node Top

@top

@menu

* Introduction::

* Installation::

* QEMU PC System emulator::

* QEMU System emulator for non PC targets::

* QEMU User space emulator::

* compilation:: Compilation from the sources

* Index::

@end menu

@end ifnottex

@contents

@node Introduction

@chapter Introduction

@menu

* intro_features:: Features

@end menu

@node intro_features

@section Features

QEMU is a FAST! processor emulator using dynamic translation to

achieve good emulation speed.

QEMU has two operating modes:

@itemize @minus

@item

Full system emulation. In this mode, QEMU emulates a full system (for

example a PC), including one or several processors and various

peripherals. It can be used to launch different Operating Systems

without rebooting the PC or to debug system code.

@item

User mode emulation. In this mode, QEMU can launch

processes compiled for one CPU on another CPU. It can be used to

launch the Wine Windows API emulator (@url{http://www.winehq.org}) or

to ease cross-compilation and cross-debugging.

@end itemize

QEMU can run without an host kernel driver and yet gives acceptable

performance.

For system emulation, the following hardware targets are supported:

@itemize

@item PC (x86 or x86_64 processor)

@item ISA PC (old style PC without PCI bus)

@item PREP (PowerPC processor)

@item G3 BW PowerMac (PowerPC processor)

@item Mac99 PowerMac (PowerPC processor, in progress)

@item Sun4m (32-bit Sparc processor)

@item Sun4u (64-bit Sparc processor, in progress)

@item Malta board (32-bit MIPS processor)

@item ARM Integrator/CP (ARM)

@item ARM Versatile baseboard (ARM)

@item ARM RealView Emulation baseboard (ARM)

@item Spitz, Akita, Borzoi and Terrier PDAs (PXA270 processor)

@item Luminary Micro LM3S811EVB (ARM Cortex-M3)

@item Luminary Micro LM3S6965EVB (ARM Cortex-M3)

@item Freescale MCF5208EVB (ColdFire V2).

@item Arnewsh MCF5206 evaluation board (ColdFire V2).

@item Palm Tungsten|E PDA (OMAP310 processor)

@end itemize

For user emulation, x86, PowerPC, ARM, MIPS, Sparc32/64 and ColdFire(m68k) CPUs are supported.

@node Installation

@chapter Installation

If you want to compile QEMU yourself, see @ref{compilation}.

@menu

* install_linux::   Linux

* install_windows:: Windows

* install_mac::     Macintosh

@end menu

@node install_linux

@section Linux

If a precompiled package is available for your distribution - you just

have to install it. Otherwise, see @ref{compilation}.

@node install_windows

@section Windows

Download the experimental binary installer at

@url{http://www.free.oszoo.org/@/download.html}.

@node install_mac

@section Mac OS X

Download the experimental binary installer at

@url{http://www.free.oszoo.org/@/download.html}.

@node QEMU PC System emulator

@chapter QEMU PC System emulator

@menu

* pcsys_introduction:: Introduction

* pcsys_quickstart::   Quick Start

* sec_invocation::     Invocation

* pcsys_keys::         Keys

* pcsys_monitor::      QEMU Monitor

* disk_images::        Disk Images

* pcsys_network::      Network emulation

* direct_linux_boot::  Direct Linux Boot

* pcsys_usb::          USB emulation

* vnc_security::       VNC security

* gdb_usage::          GDB usage

* pcsys_os_specific::  Target OS specific information

@end menu

@node pcsys_introduction

@section Introduction

@c man begin DESCRIPTION

The QEMU PC System emulator simulates the

following peripherals:

@itemize @minus

@item

i440FX host PCI bridge and PIIX3 PCI to ISA bridge

@item

Cirrus CLGD 5446 PCI VGA card or dummy VGA card with Bochs VESA

extensions (hardware level, including all non standard modes).

@item

PS/2 mouse and keyboard

@item

2 PCI IDE interfaces with hard disk and CD-ROM support

@item

Floppy disk

@item

PCI/ISA PCI network adapters

@item

Serial ports

@item

Creative SoundBlaster 16 sound card

@item

ENSONIQ AudioPCI ES1370 sound card

@item

Adlib(OPL2) - Yamaha YM3812 compatible chip

@item

PCI UHCI USB controller and a virtual USB hub.

@end itemize

SMP is supported with up to 255 CPUs.

Note that adlib is only available when QEMU was configured with

-enable-adlib

QEMU uses the PC BIOS from the Bochs project and the Plex86/Bochs LGPL

VGA BIOS.

QEMU uses YM3812 emulation by Tatsuyuki Satoh.

@c man end

@node pcsys_quickstart

@section Quick Start

Download and uncompress the linux image (@file{linux.img}) and type:

@example

qemu linux.img

@end example

Linux should boot and give you a prompt.

@node sec_invocation

@section Invocation

@example

@c man begin SYNOPSIS

usage: qemu [options] [@var{disk_image}]

@c man end

@end example

@c man begin OPTIONS

@var{disk_image} is a raw hard disk image for IDE hard disk 0.

General options:

@table @option

@item -M @var{machine}

Select the emulated @var{machine} (@code{-M ?} for list)

@item -fda @var{file}

@item -fdb @var{file}

Use @var{file} as floppy disk 0/1 image (@pxref{disk_images}). You can

use the host floppy by using @file{/dev/fd0} as filename (@pxref{host_drives}).

@item -hda @var{file}

@item -hdb @var{file}

@item -hdc @var{file}

@item -hdd @var{file}

Use @var{file} as hard disk 0, 1, 2 or 3 image (@pxref{disk_images}).

@item -cdrom @var{file}

Use @var{file} as CD-ROM image (you cannot use @option{-hdc} and

@option{-cdrom} at the same time). You can use the host CD-ROM by

using @file{/dev/cdrom} as filename (@pxref{host_drives}).

@item -boot [a|c|d|n]

Boot on floppy (a), hard disk (c), CD-ROM (d), or Etherboot (n). Hard disk boot

is the default.

@item -snapshot

Write to temporary files instead of disk image files. In this case,

the raw disk image you use is not written back. You can however force

the write back by pressing @key{C-a s} (@pxref{disk_images}).

@item -no-fd-bootchk

Disable boot signature checking for floppy disks in Bochs BIOS. It may

be needed to boot from old floppy disks.

@item -m @var{megs}

Set virtual RAM size to @var{megs} megabytes. Default is 128 MiB.

@item -smp @var{n}

Simulate an SMP system with @var{n} CPUs. On the PC target, up to 255

CPUs are supported. On Sparc32 target, Linux limits the number of usable CPUs

to 4.

@item -audio-help

Will show the audio subsystem help: list of drivers, tunable

parameters.

@item -soundhw @var{card1}[,@var{card2},...] or -soundhw all

Enable audio and selected sound hardware. Use ? to print all

available sound hardware.

@example

qemu -soundhw sb16,adlib hda

qemu -soundhw es1370 hda

qemu -soundhw all hda

qemu -soundhw ?

@end example

@item -localtime

Set the real time clock to local time (the default is to UTC

time). This option is needed to have correct date in MS-DOS or

Windows.

@item -startdate @var{date}

Set the initial date of the real time clock. Valid format for

@var{date} are: @code{now} or @code{2006-06-17T16:01:21} or

@code{2006-06-17}. The default value is @code{now}.

@item -pidfile @var{file}

Store the QEMU process PID in @var{file}. It is useful if you launch QEMU

from a script.

@item -daemonize

Daemonize the QEMU process after initialization.  QEMU will not detach from

standard IO until it is ready to receive connections on any of its devices.

This option is a useful way for external programs to launch QEMU without having

to cope with initialization race conditions.

@item -win2k-hack

Use it when installing Windows 2000 to avoid a disk full bug. After

Windows 2000 is installed, you no longer need this option (this option

slows down the IDE transfers).

@item -option-rom @var{file}

Load the contents of @var{file} as an option ROM.

This option is useful to load things like EtherBoot.

@item -name @var{name}

Sets the @var{name} of the guest.

This name will be display in the SDL window caption.

The @var{name} will also be used for the VNC server.

@end table

Display options:

@table @option

@item -nographic

Normally, QEMU uses SDL to display the VGA output. With this option,

you can totally disable graphical output so that QEMU is a simple

command line application. The emulated serial port is redirected on

the console. Therefore, you can still use QEMU to debug a Linux kernel

with a serial console.

@item -no-frame

Do not use decorations for SDL windows and start them using the whole

available screen space. This makes the using QEMU in a dedicated desktop

workspace more convenient.

@item -full-screen

Start in full screen.

@item -vnc @var{display}[,@var{option}[,@var{option}[,...]]]

Normally, QEMU uses SDL to display the VGA output.  With this option,

you can have QEMU listen on VNC display @var{display} and redirect the VGA

display over the VNC session.  It is very useful to enable the usb

tablet device when using this option (option @option{-usbdevice

tablet}). When using the VNC display, you must use the @option{-k}

parameter to set the keyboard layout if you are not using en-us. Valid

syntax for the @var{display} is

@table @code

@item @var{interface}:@var{d}

TCP connections will only be allowed from @var{interface} on display @var{d}.

By convention the TCP port is 5900+@var{d}. Optionally, @var{interface} can

be omitted in which case the server will bind to all interfaces.

@item @var{unix}:@var{path}

Connections will be allowed over UNIX domain sockets where @var{path} is the

location of a unix socket to listen for connections on.

@item none

VNC is initialized by not started. The monitor @code{change} command can be used

to later start the VNC server.

@end table

Following the @var{display} value there may be one or more @var{option} flags

separated by commas. Valid options are

@table @code

@item password

Require that password based authentication is used for client connections.

The password must be set separately using the @code{change} command in the

@ref{pcsys_monitor}

@item tls

Require that client use TLS when communicating with the VNC server. This

uses anonymous TLS credentials so is susceptible to a man-in-the-middle

attack. It is recommended that this option be combined with either the

@var{x509} or @var{x509verify} options.

@item x509=@var{/path/to/certificate/dir}

Valid if @option{tls} is specified. Require that x509 credentials are used

for negotiating the TLS session. The server will send its x509 certificate

to the client. It is recommended that a password be set on the VNC server

to provide authentication of the client when this is used. The path following

this option specifies where the x509 certificates are to be loaded from.

See the @ref{vnc_security} section for details on generating certificates.

@item x509verify=@var{/path/to/certificate/dir}

Valid if @option{tls} is specified. Require that x509 credentials are used

for negotiating the TLS session. The server will send its x509 certificate

to the client, and request that the client send its own x509 certificate.

The server will validate the client's certificate against the CA certificate,

and reject clients when validation fails. If the certificate authority is

trusted, this is a sufficient authentication mechanism. You may still wish

to set a password on the VNC server as a second authentication layer. The

path following this option specifies where the x509 certificates are to

be loaded from. See the @ref{vnc_security} section for details on generating

certificates.

@end table

@item -k @var{language}

Use keyboard layout @var{language} (for example @code{fr} for

French). This option is only needed where it is not easy to get raw PC

keycodes (e.g. on Macs, with some X11 servers or with a VNC

display). You don't normally need to use it on PC/Linux or PC/Windows

hosts.

The available layouts are:

@example

ar  de-ch  es  fo     fr-ca  hu  ja  mk     no  pt-br  sv

da  en-gb  et  fr     fr-ch  is  lt  nl     pl  ru     th

de  en-us  fi  fr-be  hr     it  lv  nl-be  pt  sl     tr

@end example

The default is @code{en-us}.

@end table

USB options:

@table @option

@item -usb

Enable the USB driver (will be the default soon)

@item -usbdevice @var{devname}

Add the USB device @var{devname}. @xref{usb_devices}.

@end table

Network options:

@table @option

@item -net nic[,vlan=@var{n}][,macaddr=@var{addr}][,model=@var{type}]

Create a new Network Interface Card and connect it to VLAN @var{n} (@var{n}

= 0 is the default). The NIC is an ne2k_pci by default on the PC

target. Optionally, the MAC address can be changed. If no

@option{-net} option is specified, a single NIC is created.

Qemu can emulate several different models of network card.

Valid values for @var{type} are

@code{i82551}, @code{i82557b}, @code{i82559er},

@code{ne2k_pci}, @code{ne2k_isa}, @code{pcnet}, @code{rtl8139},

@code{smc91c111}, @code{lance} and @code{mcf_fec}.

Not all devices are supported on all targets.  Use -net nic,model=?

for a list of available devices for your target.

@item -net user[,vlan=@var{n}][,hostname=@var{name}]

Use the user mode network stack which requires no administrator

privilege to run.  @option{hostname=name} can be used to specify the client

hostname reported by the builtin DHCP server.

@item -net tap[,vlan=@var{n}][,fd=@var{h}][,ifname=@var{name}][,script=@var{file}]

Connect the host TAP network interface @var{name} to VLAN @var{n} and

use the network script @var{file} to configure it. The default

network script is @file{/etc/qemu-ifup}. Use @option{script=no} to

disable script execution. If @var{name} is not

provided, the OS automatically provides one. @option{fd}=@var{h} can be

used to specify the handle of an already opened host TAP interface. Example:

@example

qemu linux.img -net nic -net tap

@end example

More complicated example (two NICs, each one connected to a TAP device)

@example

qemu linux.img -net nic,vlan=0 -net tap,vlan=0,ifname=tap0 \

               -net nic,vlan=1 -net tap,vlan=1,ifname=tap1

@end example

@item -net socket[,vlan=@var{n}][,fd=@var{h}][,listen=[@var{host}]:@var{port}][,connect=@var{host}:@var{port}]

Connect the VLAN @var{n} to a remote VLAN in another QEMU virtual

machine using a TCP socket connection. If @option{listen} is

specified, QEMU waits for incoming connections on @var{port}

(@var{host} is optional). @option{connect} is used to connect to

another QEMU instance using the @option{listen} option. @option{fd}=@var{h}

specifies an already opened TCP socket.

Example:

@example

# launch a first QEMU instance

qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \

               -net socket,listen=:1234

# connect the VLAN 0 of this instance to the VLAN 0

# of the first instance

qemu linux.img -net nic,macaddr=52:54:00:12:34:57 \

               -net socket,connect=127.0.0.1:1234

@end example

@item -net socket[,vlan=@var{n}][,fd=@var{h}][,mcast=@var{maddr}:@var{port}]

Create a VLAN @var{n} shared with another QEMU virtual

machines using a UDP multicast socket, effectively making a bus for

every QEMU with same multicast address @var{maddr} and @var{port}.

NOTES:

@enumerate

@item

Several QEMU can be running on different hosts and share same bus (assuming

correct multicast setup for these hosts).

@item

mcast support is compatible with User Mode Linux (argument @option{eth@var{N}=mcast}), see

@url{http://user-mode-linux.sf.net}.

@item

Use @option{fd=h} to specify an already opened UDP multicast socket.

@end enumerate

Example:

@example

# launch one QEMU instance

qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \

               -net socket,mcast=230.0.0.1:1234

# launch another QEMU instance on same "bus"

qemu linux.img -net nic,macaddr=52:54:00:12:34:57 \

               -net socket,mcast=230.0.0.1:1234

# launch yet another QEMU instance on same "bus"

qemu linux.img -net nic,macaddr=52:54:00:12:34:58 \

               -net socket,mcast=230.0.0.1:1234

@end example

Example (User Mode Linux compat.):

@example

# launch QEMU instance (note mcast address selected

# is UML's default)

qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \

               -net socket,mcast=239.192.168.1:1102

# launch UML

/path/to/linux ubd0=/path/to/root_fs eth0=mcast

@end example

@item -net none

Indicate that no network devices should be configured. It is used to

override the default configuration (@option{-net nic -net user}) which

is activated if no @option{-net} options are provided.

@item -tftp @var{dir}

When using the user mode network stack, activate a built-in TFTP

server. The files in @var{dir} will be exposed as the root of a TFTP server.

The TFTP client on the guest must be configured in binary mode (use the command

@code{bin} of the Unix TFTP client). The host IP address on the guest is as

usual 10.0.2.2.

@item -bootp @var{file}

When using the user mode network stack, broadcast @var{file} as the BOOTP

filename.  In conjunction with @option{-tftp}, this can be used to network boot

a guest from a local directory.

Example (using pxelinux):

@example

qemu -hda linux.img -boot n -tftp /path/to/tftp/files -bootp /pxelinux.0

@end example

@item -smb @var{dir}

When using the user mode network stack, activate a built-in SMB

server so that Windows OSes can access to the host files in @file{@var{dir}}

transparently.

In the guest Windows OS, the line:

@example

10.0.2.4 smbserver

@end example

must be added in the file @file{C:\WINDOWS\LMHOSTS} (for windows 9x/Me)

or @file{C:\WINNT\SYSTEM32\DRIVERS\ETC\LMHOSTS} (Windows NT/2000).

Then @file{@var{dir}} can be accessed in @file{\\smbserver\qemu}.

Note that a SAMBA server must be installed on the host OS in

@file{/usr/sbin/smbd}. QEMU was tested successfully with smbd version

2.2.7a from the Red Hat 9 and version 3.0.10-1.fc3 from Fedora Core 3.

@item -redir [tcp|udp]:@var{host-port}:[@var{guest-host}]:@var{guest-port}

When using the user mode network stack, redirect incoming TCP or UDP

connections to the host port @var{host-port} to the guest

@var{guest-host} on guest port @var{guest-port}. If @var{guest-host}

is not specified, its value is 10.0.2.15 (default address given by the

built-in DHCP server).

For example, to redirect host X11 connection from screen 1 to guest

screen 0, use the following:

@example

# on the host

qemu -redir tcp:6001::6000 [...]

# this host xterm should open in the guest X11 server

xterm -display :1

@end example

To redirect telnet connections from host port 5555 to telnet port on

the guest, use the following:

@example

# on the host

qemu -redir tcp:5555::23 [...]

telnet localhost 5555

@end example

Then when you use on the host @code{telnet localhost 5555}, you

connect to the guest telnet server.

@end table

Linux boot specific: When using these options, you can use a given

Linux kernel without installing it in the disk image. It can be useful

for easier testing of various kernels.

@table @option

@item -kernel @var{bzImage}

Use @var{bzImage} as kernel image.

@item -append @var{cmdline}

Use @var{cmdline} as kernel command line

@item -initrd @var{file}

Use @var{file} as initial ram disk.

@end table

Debug/Expert options:

@table @option

@item -serial @var{dev}

Redirect the virtual serial port to host character device

@var{dev}. The default device is @code{vc} in graphical mode and

@code{stdio} in non graphical mode.

This option can be used several times to simulate up to 4 serials

ports.

Use @code{-serial none} to disable all serial ports.

Available character devices are:

@table @code

@item vc[:WxH]

Virtual console. Optionally, a width and height can be given in pixel with

@example

vc:800x600

@end example

It is also possible to specify width or height in characters:

@example

vc:80Cx24C

@end example

@item pty

[Linux only] Pseudo TTY (a new PTY is automatically allocated)

@item none

No device is allocated.

@item null

void device

@item /dev/XXX

[Linux only] Use host tty, e.g. @file{/dev/ttyS0}. The host serial port

parameters are set according to the emulated ones.

@item /dev/parport@var{N}

[Linux only, parallel port only] Use host parallel port

@var{N}. Currently SPP and EPP parallel port features can be used.

@item file:@var{filename}

Write output to @var{filename}. No character can be read.

@item stdio

[Unix only] standard input/output

@item pipe:@var{filename}

name pipe @var{filename}

@item COM@var{n}

[Windows only] Use host serial port @var{n}

@item udp:[@var{remote_host}]:@var{remote_port}[@@[@var{src_ip}]:@var{src_port}]

This implements UDP Net Console.

When @var{remote_host} or @var{src_ip} are not specified

they default to @code{0.0.0.0}.

When not using a specified @var{src_port} a random port is automatically chosen.

If you just want a simple readonly console you can use @code{netcat} or

@code{nc}, by starting qemu with: @code{-serial udp::4555} and nc as:

@code{nc -u -l -p 4555}. Any time qemu writes something to that port it

will appear in the netconsole session.

If you plan to send characters back via netconsole or you want to stop

and start qemu a lot of times, you should have qemu use the same

source port each time by using something like @code{-serial

udp::4555@@:4556} to qemu. Another approach is to use a patched

version of netcat which can listen to a TCP port and send and receive

characters via udp.  If you have a patched version of netcat which

activates telnet remote echo and single char transfer, then you can

use the following options to step up a netcat redirector to allow

telnet on port 5555 to access the qemu port.

@table @code

@item Qemu Options:

-serial udp::4555@@:4556

@item netcat options:

-u -P 4555 -L 0.0.0.0:4556 -t -p 5555 -I -T

@item telnet options:

localhost 5555

@end table

@item tcp:[@var{host}]:@var{port}[,@var{server}][,nowait][,nodelay]

The TCP Net Console has two modes of operation.  It can send the serial

I/O to a location or wait for a connection from a location.  By default

the TCP Net Console is sent to @var{host} at the @var{port}.  If you use

the @var{server} option QEMU will wait for a client socket application

to connect to the port before continuing, unless the @code{nowait}

option was specified.  The @code{nodelay} option disables the Nagle buffering

algorithm.  If @var{host} is omitted, 0.0.0.0 is assumed. Only

one TCP connection at a time is accepted. You can use @code{telnet} to

connect to the corresponding character device.

@table @code

@item Example to send tcp console to 192.168.0.2 port 4444

-serial tcp:192.168.0.2:4444

@item Example to listen and wait on port 4444 for connection

-serial tcp::4444,server

@item Example to not wait and listen on ip 192.168.0.100 port 4444

-serial tcp:192.168.0.100:4444,server,nowait

@end table

@item telnet:@var{host}:@var{port}[,server][,nowait][,nodelay]

The telnet protocol is used instead of raw tcp sockets.  The options

work the same as if you had specified @code{-serial tcp}.  The

difference is that the port acts like a telnet server or client using

telnet option negotiation.  This will also allow you to send the

MAGIC_SYSRQ sequence if you use a telnet that supports sending the break

sequence.  Typically in unix telnet you do it with Control-] and then

type "send break" followed by pressing the enter key.

@item unix:@var{path}[,server][,nowait]

A unix domain socket is used instead of a tcp socket.  The option works the

same as if you had specified @code{-serial tcp} except the unix domain socket

@var{path} is used for connections.

@item mon:@var{dev_string}

This is a special option to allow the monitor to be multiplexed onto

another serial port.  The monitor is accessed with key sequence of

@key{Control-a} and then pressing @key{c}. See monitor access

@ref{pcsys_keys} in the -nographic section for more keys.

@var{dev_string} should be any one of the serial devices specified

above.  An example to multiplex the monitor onto a telnet server

listening on port 4444 would be:

@table @code

@item -serial mon:telnet::4444,server,nowait

@end table

@end table

@item -parallel @var{dev}

Redirect the virtual parallel port to host device @var{dev} (same

devices as the serial port). On Linux hosts, @file{/dev/parportN} can

be used to use hardware devices connected on the corresponding host

parallel port.

This option can be used several times to simulate up to 3 parallel

ports.

Use @code{-parallel none} to disable all parallel ports.

@item -monitor @var{dev}

Redirect the monitor to host device @var{dev} (same devices as the

serial port).

The default device is @code{vc} in graphical mode and @code{stdio} in

non graphical mode.

@item -echr numeric_ascii_value

Change the escape character used for switching to the monitor when using

monitor and serial sharing.  The default is @code{0x01} when using the

@code{-nographic} option.  @code{0x01} is equal to pressing

@code{Control-a}.  You can select a different character from the ascii

control keys where 1 through 26 map to Control-a through Control-z.  For

instance you could use the either of the following to change the escape

character to Control-t.

@table @code

@item -echr 0x14

@item -echr 20

@end table

@item -s

Wait gdb connection to port 1234 (@pxref{gdb_usage}).

@item -p @var{port}

Change gdb connection port.  @var{port} can be either a decimal number

to specify a TCP port, or a host device (same devices as the serial port).

@item -S

Do not start CPU at startup (you must type 'c' in the monitor).

@item -d

Output log in /tmp/qemu.log

@item -hdachs @var{c},@var{h},@var{s},[,@var{t}]

Force hard disk 0 physical geometry (1 <= @var{c} <= 16383, 1 <=

@var{h} <= 16, 1 <= @var{s} <= 63) and optionally force the BIOS

translation mode (@var{t}=none, lba or auto). Usually QEMU can guess

all those parameters. This option is useful for old MS-DOS disk

images.

@item -L path

Set the directory for the BIOS, VGA BIOS and keymaps.

@item -std-vga

Simulate a standard VGA card with Bochs VBE extensions (default is

Cirrus Logic GD5446 PCI VGA). If your guest OS supports the VESA 2.0

VBE extensions (e.g. Windows XP) and if you want to use high

resolution modes (>= 1280x1024x16) then you should use this option.

@item -no-acpi

Disable ACPI (Advanced Configuration and Power Interface) support. Use

it if your guest OS complains about ACPI problems (PC target machine

only).

@item -no-reboot

Exit instead of rebooting.

@item -loadvm file

Start right away with a saved state (@code{loadvm} in monitor)

@item -semihosting

Enable semihosting syscall emulation (ARM and M68K target machines only).

On ARM this implements the "Angel" interface.

On M68K this implements the "ColdFire GDB" interface used by libgloss.

Note that this allows guest direct access to the host filesystem,

so should only be used with trusted guest OS.

@end table

@c man end

@node pcsys_keys

@section Keys

@c man begin OPTIONS

During the graphical emulation, you can use the following keys:

@table @key

@item Ctrl-Alt-f

Toggle full screen

@item Ctrl-Alt-n

Switch to virtual console 'n'. Standard console mappings are:

@table @emph

@item 1

Target system display

@item 2

Monitor

@item 3

Serial port

@end table

@item Ctrl-Alt

Toggle mouse and keyboard grab.

@end table

In the virtual consoles, you can use @key{Ctrl-Up}, @key{Ctrl-Down},

@key{Ctrl-PageUp} and @key{Ctrl-PageDown} to move in the back log.

During emulation, if you are using the @option{-nographic} option, use

@key{Ctrl-a h} to get terminal commands:

@table @key

@item Ctrl-a h

Print this help

@item Ctrl-a x

Exit emulator

@item Ctrl-a s

Save disk data back to file (if -snapshot)

@item Ctrl-a t

toggle console timestamps

@item Ctrl-a b

Send break (magic sysrq in Linux)

@item Ctrl-a c

Switch between console and monitor

@item Ctrl-a Ctrl-a

Send Ctrl-a

@end table

@c man end

@ignore

@c man begin SEEALSO

The HTML documentation of QEMU for more precise information and Linux

user mode emulator invocation.

@c man end

@c man begin AUTHOR

Fabrice Bellard

@c man end

@end ignore

@node pcsys_monitor

@section QEMU Monitor

The QEMU monitor is used to give complex commands to the QEMU

emulator. You can use it to:

@itemize @minus

@item

Remove or insert removable media images

(such as CD-ROM or floppies).

@item

Freeze/unfreeze the Virtual Machine (VM) and save or restore its state

from a disk file.

@item Inspect the VM state without an external debugger.

@end itemize

@subsection Commands

The following commands are available:

@table @option

@item help or ? [@var{cmd}]

Show the help for all commands or just for command @var{cmd}.

@item commit

Commit changes to the disk images (if -snapshot is used).

@item info @var{subcommand}

Show various information about the system state.

@table @option

@item info network

show the various VLANs and the associated devices

@item info block

show the block devices

@item info registers

show the cpu registers

@item info history

show the command line history

@item info pci

show emulated PCI device

@item info usb

show USB devices plugged on the virtual USB hub

@item info usbhost

show all USB host devices

@item info capture

show information about active capturing

@item info snapshots

show list of VM snapshots

@item info mice

show which guest mouse is receiving events

@end table

@item q or quit

Quit the emulator.

@item eject [-f] @var{device}

Eject a removable medium (use -f to force it).

@item change @var{device} @var{setting}

Change the configuration of a device.

@table @option

@item change @var{diskdevice} @var{filename}

Change the medium for a removable disk device to point to @var{filename}. eg

@example

(qemu) change cdrom /path/to/some.iso

@end example

@item change vnc @var{display},@var{options}

Change the configuration of the VNC server. The valid syntax for @var{display}

and @var{options} are described at @ref{sec_invocation}. eg

@example

(qemu) change vnc localhost:1

@end example

@item change vnc password

Change the password associated with the VNC server. The monitor will prompt for

the new password to be entered. VNC passwords are only significant upto 8 letters.

eg.

@example

(qemu) change vnc password

Password: ********

@end example

@end table

@item screendump @var{filename}

Save screen into PPM image @var{filename}.

@item mouse_move @var{dx} @var{dy} [@var{dz}]

Move the active mouse to the specified coordinates @var{dx} @var{dy}

with optional scroll axis @var{dz}.

@item mouse_button @var{val}

Change the active mouse button state @var{val} (1=L, 2=M, 4=R).

@item mouse_set @var{index}

Set which mouse device receives events at given @var{index}, index

can be obtained with

@example

info mice

@end example

@item wavcapture @var{filename} [@var{frequency} [@var{bits} [@var{channels}]]]

Capture audio into @var{filename}. Using sample rate @var{frequency}

bits per sample @var{bits} and number of channels @var{channels}.

Defaults:

@itemize @minus

@item Sample rate = 44100 Hz - CD quality

@item Bits = 16

@item Number of channels = 2 - Stereo

@end itemize

@item stopcapture @var{index}

Stop capture with a given @var{index}, index can be obtained with

@example

info capture

@end example

@item log @var{item1}[,...]

Activate logging of the specified items to @file{/tmp/qemu.log}.

@item savevm [@var{tag}|@var{id}]

Create a snapshot of the whole virtual machine. If @var{tag} is

provided, it is used as human readable identifier. If there is already

a snapshot with the same tag or ID, it is replaced. More info at

@ref{vm_snapshots}.

@item loadvm @var{tag}|@var{id}

Set the whole virtual machine to the snapshot identified by the tag

@var{tag} or the unique snapshot ID @var{id}.

@item delvm @var{tag}|@var{id}

Delete the snapshot identified by @var{tag} or @var{id}.

@item stop

Stop emulation.

@item c or cont

Resume emulation.

@item gdbserver [@var{port}]

Start gdbserver session (default @var{port}=1234)

@item x/fmt @var{addr}

Virtual memory dump starting at @var{addr}.

@item xp /@var{fmt} @var{addr}

Physical memory dump starting at @var{addr}.

@var{fmt} is a format which tells the command how to format the

data. Its syntax is: @option{/@{count@}@{format@}@{size@}}

@table @var

@item count

is the number of items to be dumped.

@item format

can be x (hex), d (signed decimal), u (unsigned decimal), o (octal),

c (char) or i (asm instruction).

@item size

can be b (8 bits), h (16 bits), w (32 bits) or g (64 bits). On x86,

@code{h} or @code{w} can be specified with the @code{i} format to

respectively select 16 or 32 bit code instruction size.

@end table

Examples:

@itemize

@item

Dump 10 instructions at the current instruction pointer:

@example

(qemu) x/10i $eip

0x90107063:  ret

0x90107064:  sti

0x90107065:  lea    0x0(%esi,1),%esi

0x90107069:  lea    0x0(%edi,1),%edi

0x90107070:  ret

0x90107071:  jmp    0x90107080

0x90107073:  nop

0x90107074:  nop

0x90107075:  nop

0x90107076:  nop

@end example

@item

Dump 80 16 bit values at the start of the video memory.

@smallexample

(qemu) xp/80hx 0xb8000

0x000b8000: 0x0b50 0x0b6c 0x0b65 0x0b78 0x0b38 0x0b36 0x0b2f 0x0b42

0x000b8010: 0x0b6f 0x0b63 0x0b68 0x0b73 0x0b20 0x0b56 0x0b47 0x0b41

0x000b8020: 0x0b42 0x0b69 0x0b6f 0x0b73 0x0b20 0x0b63 0x0b75 0x0b72

0x000b8030: 0x0b72 0x0b65 0x0b6e 0x0b74 0x0b2d 0x0b63 0x0b76 0x0b73

0x000b8040: 0x0b20 0x0b30 0x0b35 0x0b20 0x0b4e 0x0b6f 0x0b76 0x0b20

0x000b8050: 0x0b32 0x0b30 0x0b30 0x0b33 0x0720 0x0720 0x0720 0x0720

0x000b8060: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720

0x000b8070: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720

0x000b8080: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720

0x000b8090: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720

@end smallexample

@end itemize

@item p or print/@var{fmt} @var{expr}

Print expression value. Only the @var{format} part of @var{fmt} is

used.

@item sendkey @var{keys}

Send @var{keys} to the emulator. Use @code{-} to press several keys

simultaneously. Example:

@example

sendkey ctrl-alt-f1

@end example

This command is useful to send keys that your graphical user interface

intercepts at low level, such as @code{ctrl-alt-f1} in X Window.

@item system_reset

Reset the system.

@item usb_add @var{devname}

Add the USB device @var{devname}.  For details of available devices see

@ref{usb_devices}

@item usb_del @var{devname}

Remove the USB device @var{devname} from the QEMU virtual USB

hub. @var{devname} has the syntax @code{bus.addr}. Use the monitor

command @code{info usb} to see the devices you can remove.

@end table

@subsection Integer expressions

The monitor understands integers expressions for every integer

argument. You can use register names to get the value of specifics

CPU registers by prefixing them with @emph{$}.

@node disk_images

@section Disk Images

Since version 0.6.1, QEMU supports many disk image formats, including

growable disk images (their size increase as non empty sectors are

written), compressed and encrypted disk images. Version 0.8.3 added

the new qcow2 disk image format which is essential to support VM

snapshots.

@menu

* disk_images_quickstart::    Quick start for disk image creation

* disk_images_snapshot_mode:: Snapshot mode

* vm_snapshots::              VM snapshots

* qemu_img_invocation::       qemu-img Invocation

* host_drives::               Using host drives

* disk_images_fat_images::    Virtual FAT disk images

@end menu

@node disk_images_quickstart

@subsection Quick start for disk image creation

You can create a disk image with the command:

@example

qemu-img create myimage.img mysize

@end example

where @var{myimage.img} is the disk image filename and @var{mysize} is its

size in kilobytes. You can add an @code{M} suffix to give the size in

megabytes and a @code{G} suffix for gigabytes.

See @ref{qemu_img_invocation} for more information.

@node disk_images_snapshot_mode

@subsection Snapshot mode

If you use the option @option{-snapshot}, all disk images are

considered as read only. When sectors in written, they are written in

a temporary file created in @file{/tmp}. You can however force the

write back to the raw disk images by using the @code{commit} monitor

command (or @key{C-a s} in the serial console).

@node vm_snapshots

@subsection VM snapshots

VM snapshots are snapshots of the complete virtual machine including

CPU state, RAM, device state and the content of all the writable

disks. In order to use VM snapshots, you must have at least one non

removable and writable block device using the @code{qcow2} disk image

format. Normally this device is the first virtual hard drive.

Use the monitor command @code{savevm} to create a new VM snapshot or

replace an existing one. A human readable name can be assigned to each

snapshot in addition to its numerical ID.

Use @code{loadvm} to restore a VM snapshot and @code{delvm} to remove

a VM snapshot. @code{info snapshots} lists the available snapshots

with their associated information:

@example

(qemu) info snapshots

Snapshot devices: hda

Snapshot list (from hda):

ID        TAG                 VM SIZE                DATE       VM CLOCK

1         start                   41M 2006-08-06 12:38:02   00:00:14.954

2                                 40M 2006-08-06 12:43:29   00:00:18.633

3         msys                    40M 2006-08-06 12:44:04   00:00:23.514

@end example

A VM snapshot is made of a VM state info (its size is shown in

@code{info snapshots}) and a snapshot of every writable disk image.

The VM state info is stored in the first @code{qcow2} non removable

and writable block device. The disk image snapshots are stored in

every disk image. The size of a snapshot in a disk image is difficult

to evaluate and is not shown by @code{info snapshots} because the

associated disk sectors are shared among all the snapshots to save

disk space (otherwise each snapshot would need a full copy of all the

disk images).

When using the (unrelated) @code{-snapshot} option

(@ref{disk_images_snapshot_mode}), you can always make VM snapshots,

but they are deleted as soon as you exit QEMU.

VM snapshots currently have the following known limitations:

@itemize

@item

They cannot cope with removable devices if they are removed or

inserted after a snapshot is done.

@item

A few device drivers still have incomplete snapshot support so their

state is not saved or restored properly (in particular USB).

@end itemize

@node qemu_img_invocation

@subsection @code{qemu-img} Invocation

@include qemu-img.texi

@node host_drives

@subsection Using host drives

In addition to disk image files, QEMU can directly access host

devices. We describe here the usage for QEMU version >= 0.8.3.

@subsubsection Linux

On Linux, you can directly use the host device filename instead of a

disk image filename provided you have enough privileges to access

it. For example, use @file{/dev/cdrom} to access to the CDROM or

@file{/dev/fd0} for the floppy.

@table @code

@item CD

You can specify a CDROM device even if no CDROM is loaded. QEMU has

specific code to detect CDROM insertion or removal. CDROM ejection by

the guest OS is supported. Currently only data CDs are supported.

@item Floppy

You can specify a floppy device even if no floppy is loaded. Floppy

removal is currently not detected accurately (if you change floppy

without doing floppy access while the floppy is not loaded, the guest

OS will think that the same floppy is loaded).

@item Hard disks

Hard disks can be used. Normally you must specify the whole disk

(@file{/dev/hdb} instead of @file{/dev/hdb1}) so that the guest OS can

see it as a partitioned disk. WARNING: unless you know what you do, it

is better to only make READ-ONLY accesses to the hard disk otherwise

you may corrupt your host data (use the @option{-snapshot} command

line option or modify the device permissions accordingly).

@end table

@subsubsection Windows

@table @code

@item CD

The preferred syntax is the drive letter (e.g. @file{d:}). The

alternate syntax @file{\\.\d:} is supported. @file{/dev/cdrom} is

supported as an alias to the first CDROM drive.

Currently there is no specific code to handle removable media, so it

is better to use the @code{change} or @code{eject} monitor commands to

change or eject media.

@item Hard disks

Hard disks can be used with the syntax: @file{\\.\PhysicalDrive@var{N}}

where @var{N} is the drive number (0 is the first hard disk).

WARNING: unless you know what you do, it is better to only make

READ-ONLY accesses to the hard disk otherwise you may corrupt your

host data (use the @option{-snapshot} command line so that the

modifications are written in a temporary file).

@end table

@subsubsection Mac OS X

@file{/dev/cdrom} is an alias to the first CDROM.

Currently there is no specific code to handle removable media, so it

is better to use the @code{change} or @code{eject} monitor commands to

change or eject media.

@node disk_images_fat_images

@subsection Virtual FAT disk images

QEMU can automatically create a virtual FAT disk image from a

directory tree. In order to use it, just type:

@example

qemu linux.img -hdb fat:/my_directory

@end example

Then you access access to all the files in the @file{/my_directory}

directory without having to copy them in a disk image or to export

them via SAMBA or NFS. The default access is @emph{read-only}.

Floppies can be emulated with the @code{:floppy:} option:

@example

qemu linux.img -fda fat:floppy:/my_directory

@end example

A read/write support is available for testing (beta stage) with the

@code{:rw:} option:

@example

qemu linux.img -fda fat:floppy:rw:/my_directory

@end example

What you should @emph{never} do:

@itemize

@item use non-ASCII filenames ;

@item use "-snapshot" together with ":rw:" ;

@item expect it to work when loadvm'ing ;

@item write to the FAT directory on the host system while accessing it with the guest system.

@end itemize

@node pcsys_network

@section Network emulation

QEMU can simulate several network cards (PCI or ISA cards on the PC

target) and can connect them to an arbitrary number of Virtual Local

Area Networks (VLANs). Host TAP devices can be connected to any QEMU

VLAN. VLAN can be connected between separate instances of QEMU to

simulate large networks. For simpler usage, a non privileged user mode

network stack can replace the TAP device to have a basic network

connection.

@subsection VLANs

QEMU simulates several VLANs. A VLAN can be symbolised as a virtual

connection between several network devices. These devices can be for

example QEMU virtual Ethernet cards or virtual Host ethernet devices

(TAP devices).

@subsection Using TAP network interfaces

This is the standard way to connect QEMU to a real network. QEMU adds

a virtual network device on your host (called @code{tapN}), and you

can then configure it as if it was a real ethernet card.

@subsubsection Linux host

As an example, you can download the @file{linux-test-xxx.tar.gz}

archive and copy the script @file{qemu-ifup} in @file{/etc} and

configure properly @code{sudo} so that the command @code{ifconfig}

contained in @file{qemu-ifup} can be executed as root. You must verify

that your host kernel supports the TAP network interfaces: the

device @file{/dev/net/tun} must be present.

See @ref{sec_invocation} to have examples of command lines using the

TAP network interfaces.

@subsubsection Windows host

There is a virtual ethernet driver for Windows 2000/XP systems, called

TAP-Win32. But it is not included in standard QEMU for Windows,

so you will need to get it separately. It is part of OpenVPN package,

so download OpenVPN from : @url{http://openvpn.net/}.

@subsection Using the user mode network stack

By using the option @option{-net user} (default configuration if no

@option{-net} option is specified), QEMU uses a completely user mode

network stack (you don't need root privilege to use the virtual

network). The virtual network configuration is the following:

@example

         QEMU VLAN      <------>  Firewall/DHCP server <-----> Internet

                           |          (10.0.2.2)

                           |

                           ---->  DNS server (10.0.2.3)

                           |

                           ---->  SMB server (10.0.2.4)

@end example

The QEMU VM behaves as if it was behind a firewall which blocks all

incoming connections. You can use a DHCP client to automatically

configure the network in the QEMU VM. The DHCP server assign addresses

to the hosts starting from 10.0.2.15.

In order to check that the user mode network is working, you can ping

the address 10.0.2.2 and verify that you got an address in the range

10.0.2.x from the QEMU virtual DHCP server.

Note that @code{ping} is not supported reliably to the internet as it

would require root privileges. It means you can only ping the local

router (10.0.2.2).

When using the built-in TFTP server, the router is also the TFTP

server.

When using the @option{-redir} option, TCP or UDP connections can be

redirected from the host to the guest. It allows for example to

redirect X11, telnet or SSH connections.

@subsection Connecting VLANs between QEMU instances

Using the @option{-net socket} option, it is possible to make VLANs

that span several QEMU instances. See @ref{sec_invocation} to have a

basic example.

@node direct_linux_boot

@section Direct Linux Boot

This section explains how to launch a Linux kernel inside QEMU without

having to make a full bootable image. It is very useful for fast Linux

kernel testing.

The syntax is:

@example

qemu -kernel arch/i386/boot/bzImage -hda root-2.4.20.img -append "root=/dev/hda"

@end example

Use @option{-kernel} to provide the Linux kernel image and

@option{-append} to give the kernel command line arguments. The

@option{-initrd} option can be used to provide an INITRD image.

When using the direct Linux boot, a disk image for the first hard disk

@file{hda} is required because its boot sector is used to launch the

Linux kernel.

If you do not need graphical output, you can disable it and redirect

the virtual serial port and the QEMU monitor to the console with the

@option{-nographic} option. The typical command line is:

@example

qemu -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \

     -append "root=/dev/hda console=ttyS0" -nographic

@end example

Use @key{Ctrl-a c} to switch between the serial console and the

monitor (@pxref{pcsys_keys}).

@node pcsys_usb

@section USB emulation

QEMU emulates a PCI UHCI USB controller. You can virtually plug

virtual USB devices or real host USB devices (experimental, works only

on Linux hosts).  Qemu will automatically create and connect virtual USB hubs

as necessary to connect multiple USB devices.

@menu

* usb_devices::

* host_usb_devices::

@end menu

@node usb_devices

@subsection Connecting USB devices

USB devices can be connected with the @option{-usbdevice} commandline option

or the @code{usb_add} monitor command.  Available devices are:

@table @var

@item @code{mouse}

Virtual Mouse.  This will override the PS/2 mouse emulation when activated.

@item @code{tablet}

Pointer device that uses absolute coordinates (like a touchscreen).

This means qemu is able to report the mouse position without having

to grab the mouse.  Also overrides the PS/2 mouse emulation when activated.

@item @code{disk:@var{file}}

Mass storage device based on @var{file} (@pxref{disk_images})

@item @code{host:@var{bus.addr}}

Pass through the host device identified by @var{bus.addr}

(Linux only)

@item @code{host:@var{vendor_id:product_id}}

Pass through the host device identified by @var{vendor_id:product_id}

(Linux only)

@item @code{wacom-tablet}

Virtual Wacom PenPartner tablet.  This device is similar to the @code{tablet}

above but it can be used with the tslib library because in addition to touch

coordinates it reports touch pressure.

@item @code{keyboard}

Standard USB keyboard.  Will override the PS/2 keyboard (if present).

@end table

@node host_usb_devices

@subsection Using host USB devices on a Linux host

WARNING: this is an experimental feature. QEMU will slow down when

using it. USB devices requiring real time streaming (i.e. USB Video

Cameras) are not supported yet.

@enumerate

@item If you use an early Linux 2.4 kernel, verify that no Linux driver

is actually using the USB device. A simple way to do that is simply to

disable the corresponding kernel module by renaming it from @file{mydriver.o}

to @file{mydriver.o.disabled}.

@item Verify that @file{/proc/bus/usb} is working (most Linux distributions should enable it by default). You should see something like that:

@example

ls /proc/bus/usb

001  devices  drivers

@end example

@item Since only root can access to the USB devices directly, you can either launch QEMU as root or change the permissions of the USB devices you want to use. For testing, the following suffices:

@example

chown -R myuid /proc/bus/usb

@end example

@item Launch QEMU and do in the monitor:

@example

info usbhost

  Device 1.2, speed 480 Mb/s

    Class 00: USB device 1234:5678, USB DISK

@end example

You should see the list of the devices you can use (Never try to use

hubs, it won't work).

@item Add the device in QEMU by using:

@example

usb_add host:1234:5678

@end example

Normally the guest OS should report that a new USB device is

plugged. You can use the option @option{-usbdevice} to do the same.

@item Now you can try to use the host USB device in QEMU.

@end enumerate

When relaunching QEMU, you may have to unplug and plug again the USB

device to make it work again (this is a bug).

@node vnc_security

@section VNC security

The VNC server capability provides access to the graphical console

of the guest VM across the network. This has a number of security

considerations depending on the deployment scenarios.

@menu

* vnc_sec_none::

* vnc_sec_password::

* vnc_sec_certificate::

* vnc_sec_certificate_verify::

* vnc_sec_certificate_pw::

* vnc_generate_cert::

@end menu

@node vnc_sec_none

@subsection Without passwords

The simplest VNC server setup does not include any form of authentication.

For this setup it is recommended to restrict it to listen on a UNIX domain

socket only. For example

@example

qemu [...OPTIONS...] -vnc unix:/home/joebloggs/.qemu-myvm-vnc

@end example

This ensures that only users on local box with read/write access to that

path can access the VNC server. To securely access the VNC server from a

remote machine, a combination of netcat+ssh can be used to provide a secure

tunnel.

@node vnc_sec_password

@subsection With passwords

The VNC protocol has limited support for password based authentication. Since

the protocol limits passwords to 8 characters it should not be considered

to provide high security. The password can be fairly easily brute-forced by

a client making repeat connections. For this reason, a VNC server using password

authentication should be restricted to only listen on the loopback interface

or UNIX domain sockets. Password ayuthentication is requested with the @code{password}

option, and then once QEMU is running the password is set with the monitor. Until

the monitor is used to set the password all clients will be rejected.

@example

qemu [...OPTIONS...] -vnc :1,password -monitor stdio

(qemu) change vnc password

Password: ********

(qemu)

@end example

@node vnc_sec_certificate

@subsection With x509 certificates

The QEMU VNC server also implements the VeNCrypt extension allowing use of

TLS for encryption of the session, and x509 certificates for authentication.

The use of x509 certificates is strongly recommended, because TLS on its

own is susceptible to man-in-the-middle attacks. Basic x509 certificate

support provides a secure session, but no authentication. This allows any