Archipelago » qemu

\input texinfo @c -*- texinfo -*-

@c %**start of header

@setfilename qemu-doc.info

@documentlanguage en

@documentencoding UTF-8

@settitle QEMU Emulator User Documentation

@exampleindent 0

@paragraphindent 0

@c %**end of header

@ifinfo

@direntry

* QEMU: (qemu-doc).    The QEMU Emulator User Documentation.

@end direntry

@end ifinfo

@iftex

@titlepage

@sp 7

@center @titlefont{QEMU Emulator}

@sp 1

@center @titlefont{User Documentation}

@sp 3

@end titlepage

@end iftex

@ifnottex

@node Top

@top

@menu

* Introduction::

* Installation::

* QEMU PC System emulator::

* QEMU System emulator for non PC targets::

* QEMU User space emulator::

* compilation:: Compilation from the sources

* Index::

@end menu

@end ifnottex

@contents

@node Introduction

@chapter Introduction

@menu

* intro_features:: Features

@end menu

@node intro_features

@section Features

QEMU is a FAST! processor emulator using dynamic translation to

achieve good emulation speed.

QEMU has two operating modes:

@itemize @minus

@item

Full system emulation. In this mode, QEMU emulates a full system (for

example a PC), including one or several processors and various

peripherals. It can be used to launch different Operating Systems

without rebooting the PC or to debug system code.

@item

User mode emulation. In this mode, QEMU can launch

processes compiled for one CPU on another CPU. It can be used to

launch the Wine Windows API emulator (@url{http://www.winehq.org}) or

to ease cross-compilation and cross-debugging.

@end itemize

QEMU can run without an host kernel driver and yet gives acceptable

performance.

For system emulation, the following hardware targets are supported:

@itemize

@item PC (x86 or x86_64 processor)

@item ISA PC (old style PC without PCI bus)

@item PREP (PowerPC processor)

@item G3 Beige PowerMac (PowerPC processor)

@item Mac99 PowerMac (PowerPC processor, in progress)

@item Sun4m/Sun4c/Sun4d (32-bit Sparc processor)

@item Sun4u/Sun4v (64-bit Sparc processor, in progress)

@item Malta board (32-bit and 64-bit MIPS processors)

@item MIPS Magnum (64-bit MIPS processor)

@item ARM Integrator/CP (ARM)

@item ARM Versatile baseboard (ARM)

@item ARM RealView Emulation/Platform baseboard (ARM)

@item Spitz, Akita, Borzoi, Terrier and Tosa PDAs (PXA270 processor)

@item Luminary Micro LM3S811EVB (ARM Cortex-M3)

@item Luminary Micro LM3S6965EVB (ARM Cortex-M3)

@item Freescale MCF5208EVB (ColdFire V2).

@item Arnewsh MCF5206 evaluation board (ColdFire V2).

@item Palm Tungsten|E PDA (OMAP310 processor)

@item N800 and N810 tablets (OMAP2420 processor)

@item MusicPal (MV88W8618 ARM processor)

@item Gumstix "Connex" and "Verdex" motherboards (PXA255/270).

@item Siemens SX1 smartphone (OMAP310 processor)

@item Syborg SVP base model (ARM Cortex-A8).

@item AXIS-Devboard88 (CRISv32 ETRAX-FS).

@item Petalogix Spartan 3aDSP1800 MMU ref design (MicroBlaze).

@end itemize

For user emulation, x86, PowerPC, ARM, 32-bit MIPS, Sparc32/64, ColdFire(m68k), CRISv32 and MicroBlaze CPUs are supported.

@node Installation

@chapter Installation

If you want to compile QEMU yourself, see @ref{compilation}.

@menu

* install_linux::   Linux

* install_windows:: Windows

* install_mac::     Macintosh

@end menu

@node install_linux

@section Linux

If a precompiled package is available for your distribution - you just

have to install it. Otherwise, see @ref{compilation}.

@node install_windows

@section Windows

Download the experimental binary installer at

@url{http://www.free.oszoo.org/@/download.html}.

@node install_mac

@section Mac OS X

Download the experimental binary installer at

@url{http://www.free.oszoo.org/@/download.html}.

@node QEMU PC System emulator

@chapter QEMU PC System emulator

@menu

* pcsys_introduction:: Introduction

* pcsys_quickstart::   Quick Start

* sec_invocation::     Invocation

* pcsys_keys::         Keys

* pcsys_monitor::      QEMU Monitor

* disk_images::        Disk Images

* pcsys_network::      Network emulation

* direct_linux_boot::  Direct Linux Boot

* pcsys_usb::          USB emulation

* vnc_security::       VNC security

* gdb_usage::          GDB usage

* pcsys_os_specific::  Target OS specific information

@end menu

@node pcsys_introduction

@section Introduction

@c man begin DESCRIPTION

The QEMU PC System emulator simulates the

following peripherals:

@itemize @minus

@item

i440FX host PCI bridge and PIIX3 PCI to ISA bridge

@item

Cirrus CLGD 5446 PCI VGA card or dummy VGA card with Bochs VESA

extensions (hardware level, including all non standard modes).

@item

PS/2 mouse and keyboard

@item

2 PCI IDE interfaces with hard disk and CD-ROM support

@item

Floppy disk

@item

PCI and ISA network adapters

@item

Serial ports

@item

Creative SoundBlaster 16 sound card

@item

ENSONIQ AudioPCI ES1370 sound card

@item

Intel 82801AA AC97 Audio compatible sound card

@item

Adlib(OPL2) - Yamaha YM3812 compatible chip

@item

Gravis Ultrasound GF1 sound card

@item

CS4231A compatible sound card

@item

PCI UHCI USB controller and a virtual USB hub.

@end itemize

SMP is supported with up to 255 CPUs.

Note that adlib, gus and cs4231a are only available when QEMU was

configured with --audio-card-list option containing the name(s) of

required card(s).

QEMU uses the PC BIOS from the Bochs project and the Plex86/Bochs LGPL

VGA BIOS.

QEMU uses YM3812 emulation by Tatsuyuki Satoh.

QEMU uses GUS emulation(GUSEMU32 @url{http://www.deinmeister.de/gusemu/})

by Tibor "TS" Schütz.

Not that, by default, GUS shares IRQ(7) with parallel ports and so

qemu must be told to not have parallel ports to have working GUS

@example

qemu dos.img -soundhw gus -parallel none

@end example

Alternatively:

@example

qemu dos.img -device gus,irq=5

@end example

Or some other unclaimed IRQ.

CS4231A is the chip used in Windows Sound System and GUSMAX products

@c man end

@node pcsys_quickstart

@section Quick Start

Download and uncompress the linux image (@file{linux.img}) and type:

@example

qemu linux.img

@end example

Linux should boot and give you a prompt.

@node sec_invocation

@section Invocation

@example

@c man begin SYNOPSIS

usage: qemu [options] [@var{disk_image}]

@c man end

@end example

@c man begin OPTIONS

@var{disk_image} is a raw hard disk image for IDE hard disk 0. Some

targets do not need a disk image.

@include qemu-options.texi

@c man end

@node pcsys_keys

@section Keys

@c man begin OPTIONS

During the graphical emulation, you can use the following keys:

@table @key

@item Ctrl-Alt-f

Toggle full screen

@item Ctrl-Alt-u

Restore the screen's un-scaled dimensions

@item Ctrl-Alt-n

Switch to virtual console 'n'. Standard console mappings are:

@table @emph

@item 1

Target system display

@item 2

Monitor

@item 3

Serial port

@end table

@item Ctrl-Alt

Toggle mouse and keyboard grab.

@end table

In the virtual consoles, you can use @key{Ctrl-Up}, @key{Ctrl-Down},

@key{Ctrl-PageUp} and @key{Ctrl-PageDown} to move in the back log.

During emulation, if you are using the @option{-nographic} option, use

@key{Ctrl-a h} to get terminal commands:

@table @key

@item Ctrl-a h

@item Ctrl-a ?

Print this help

@item Ctrl-a x

Exit emulator

@item Ctrl-a s

Save disk data back to file (if -snapshot)

@item Ctrl-a t

Toggle console timestamps

@item Ctrl-a b

Send break (magic sysrq in Linux)

@item Ctrl-a c

Switch between console and monitor

@item Ctrl-a Ctrl-a

Send Ctrl-a

@end table

@c man end

@ignore

@c man begin SEEALSO

The HTML documentation of QEMU for more precise information and Linux

user mode emulator invocation.

@c man end

@c man begin AUTHOR

Fabrice Bellard

@c man end

@end ignore

@node pcsys_monitor

@section QEMU Monitor

The QEMU monitor is used to give complex commands to the QEMU

emulator. You can use it to:

@itemize @minus

@item

Remove or insert removable media images

(such as CD-ROM or floppies).

@item

Freeze/unfreeze the Virtual Machine (VM) and save or restore its state

from a disk file.

@item Inspect the VM state without an external debugger.

@end itemize

@subsection Commands

The following commands are available:

@include qemu-monitor.texi

@subsection Integer expressions

The monitor understands integers expressions for every integer

argument. You can use register names to get the value of specifics

CPU registers by prefixing them with @emph{$}.

@node disk_images

@section Disk Images

Since version 0.6.1, QEMU supports many disk image formats, including

growable disk images (their size increase as non empty sectors are

written), compressed and encrypted disk images. Version 0.8.3 added

the new qcow2 disk image format which is essential to support VM

snapshots.

@menu

* disk_images_quickstart::    Quick start for disk image creation

* disk_images_snapshot_mode:: Snapshot mode

* vm_snapshots::              VM snapshots

* qemu_img_invocation::       qemu-img Invocation

* qemu_nbd_invocation::       qemu-nbd Invocation

* host_drives::               Using host drives

* disk_images_fat_images::    Virtual FAT disk images

* disk_images_nbd::           NBD access

@end menu

@node disk_images_quickstart

@subsection Quick start for disk image creation

You can create a disk image with the command:

@example

qemu-img create myimage.img mysize

@end example

where @var{myimage.img} is the disk image filename and @var{mysize} is its

size in kilobytes. You can add an @code{M} suffix to give the size in

megabytes and a @code{G} suffix for gigabytes.

See @ref{qemu_img_invocation} for more information.

@node disk_images_snapshot_mode

@subsection Snapshot mode

If you use the option @option{-snapshot}, all disk images are

considered as read only. When sectors in written, they are written in

a temporary file created in @file{/tmp}. You can however force the

write back to the raw disk images by using the @code{commit} monitor

command (or @key{C-a s} in the serial console).

@node vm_snapshots

@subsection VM snapshots

VM snapshots are snapshots of the complete virtual machine including

CPU state, RAM, device state and the content of all the writable

disks. In order to use VM snapshots, you must have at least one non

removable and writable block device using the @code{qcow2} disk image

format. Normally this device is the first virtual hard drive.

Use the monitor command @code{savevm} to create a new VM snapshot or

replace an existing one. A human readable name can be assigned to each

snapshot in addition to its numerical ID.

Use @code{loadvm} to restore a VM snapshot and @code{delvm} to remove

a VM snapshot. @code{info snapshots} lists the available snapshots

with their associated information:

@example

(qemu) info snapshots

Snapshot devices: hda

Snapshot list (from hda):

ID        TAG                 VM SIZE                DATE       VM CLOCK

1         start                   41M 2006-08-06 12:38:02   00:00:14.954

2                                 40M 2006-08-06 12:43:29   00:00:18.633

3         msys                    40M 2006-08-06 12:44:04   00:00:23.514

@end example

A VM snapshot is made of a VM state info (its size is shown in

@code{info snapshots}) and a snapshot of every writable disk image.

The VM state info is stored in the first @code{qcow2} non removable

and writable block device. The disk image snapshots are stored in

every disk image. The size of a snapshot in a disk image is difficult

to evaluate and is not shown by @code{info snapshots} because the

associated disk sectors are shared among all the snapshots to save

disk space (otherwise each snapshot would need a full copy of all the

disk images).

When using the (unrelated) @code{-snapshot} option

(@ref{disk_images_snapshot_mode}), you can always make VM snapshots,

but they are deleted as soon as you exit QEMU.

VM snapshots currently have the following known limitations:

@itemize

@item

They cannot cope with removable devices if they are removed or

inserted after a snapshot is done.

@item

A few device drivers still have incomplete snapshot support so their

state is not saved or restored properly (in particular USB).

@end itemize

@node qemu_img_invocation

@subsection @code{qemu-img} Invocation

@include qemu-img.texi

@node qemu_nbd_invocation

@subsection @code{qemu-nbd} Invocation

@include qemu-nbd.texi

@node host_drives

@subsection Using host drives

In addition to disk image files, QEMU can directly access host

devices. We describe here the usage for QEMU version >= 0.8.3.

@subsubsection Linux

On Linux, you can directly use the host device filename instead of a

disk image filename provided you have enough privileges to access

it. For example, use @file{/dev/cdrom} to access to the CDROM or

@file{/dev/fd0} for the floppy.

@table @code

@item CD

You can specify a CDROM device even if no CDROM is loaded. QEMU has

specific code to detect CDROM insertion or removal. CDROM ejection by

the guest OS is supported. Currently only data CDs are supported.

@item Floppy

You can specify a floppy device even if no floppy is loaded. Floppy

removal is currently not detected accurately (if you change floppy

without doing floppy access while the floppy is not loaded, the guest

OS will think that the same floppy is loaded).

@item Hard disks

Hard disks can be used. Normally you must specify the whole disk

(@file{/dev/hdb} instead of @file{/dev/hdb1}) so that the guest OS can

see it as a partitioned disk. WARNING: unless you know what you do, it

is better to only make READ-ONLY accesses to the hard disk otherwise

you may corrupt your host data (use the @option{-snapshot} command

line option or modify the device permissions accordingly).

@end table

@subsubsection Windows

@table @code

@item CD

The preferred syntax is the drive letter (e.g. @file{d:}). The

alternate syntax @file{\\.\d:} is supported. @file{/dev/cdrom} is

supported as an alias to the first CDROM drive.

Currently there is no specific code to handle removable media, so it

is better to use the @code{change} or @code{eject} monitor commands to

change or eject media.

@item Hard disks

Hard disks can be used with the syntax: @file{\\.\PhysicalDrive@var{N}}

where @var{N} is the drive number (0 is the first hard disk).

WARNING: unless you know what you do, it is better to only make

READ-ONLY accesses to the hard disk otherwise you may corrupt your

host data (use the @option{-snapshot} command line so that the

modifications are written in a temporary file).

@end table

@subsubsection Mac OS X

@file{/dev/cdrom} is an alias to the first CDROM.

Currently there is no specific code to handle removable media, so it

is better to use the @code{change} or @code{eject} monitor commands to

change or eject media.

@node disk_images_fat_images

@subsection Virtual FAT disk images

QEMU can automatically create a virtual FAT disk image from a

directory tree. In order to use it, just type:

@example

qemu linux.img -hdb fat:/my_directory

@end example

Then you access access to all the files in the @file{/my_directory}

directory without having to copy them in a disk image or to export

them via SAMBA or NFS. The default access is @emph{read-only}.

Floppies can be emulated with the @code{:floppy:} option:

@example

qemu linux.img -fda fat:floppy:/my_directory

@end example

A read/write support is available for testing (beta stage) with the

@code{:rw:} option:

@example

qemu linux.img -fda fat:floppy:rw:/my_directory

@end example

What you should @emph{never} do:

@itemize

@item use non-ASCII filenames ;

@item use "-snapshot" together with ":rw:" ;

@item expect it to work when loadvm'ing ;

@item write to the FAT directory on the host system while accessing it with the guest system.

@end itemize

@node disk_images_nbd

@subsection NBD access

QEMU can access directly to block device exported using the Network Block Device

protocol.

@example

qemu linux.img -hdb nbd:my_nbd_server.mydomain.org:1024

@end example

If the NBD server is located on the same host, you can use an unix socket instead

of an inet socket:

@example

qemu linux.img -hdb nbd:unix:/tmp/my_socket

@end example

In this case, the block device must be exported using qemu-nbd:

@example

qemu-nbd --socket=/tmp/my_socket my_disk.qcow2

@end example

The use of qemu-nbd allows to share a disk between several guests:

@example

qemu-nbd --socket=/tmp/my_socket --share=2 my_disk.qcow2

@end example

and then you can use it with two guests:

@example

qemu linux1.img -hdb nbd:unix:/tmp/my_socket

qemu linux2.img -hdb nbd:unix:/tmp/my_socket

@end example

@node pcsys_network

@section Network emulation

QEMU can simulate several network cards (PCI or ISA cards on the PC

target) and can connect them to an arbitrary number of Virtual Local

Area Networks (VLANs). Host TAP devices can be connected to any QEMU

VLAN. VLAN can be connected between separate instances of QEMU to

simulate large networks. For simpler usage, a non privileged user mode

network stack can replace the TAP device to have a basic network

connection.

@subsection VLANs

QEMU simulates several VLANs. A VLAN can be symbolised as a virtual

connection between several network devices. These devices can be for

example QEMU virtual Ethernet cards or virtual Host ethernet devices

(TAP devices).

@subsection Using TAP network interfaces

This is the standard way to connect QEMU to a real network. QEMU adds

a virtual network device on your host (called @code{tapN}), and you

can then configure it as if it was a real ethernet card.

@subsubsection Linux host

As an example, you can download the @file{linux-test-xxx.tar.gz}

archive and copy the script @file{qemu-ifup} in @file{/etc} and

configure properly @code{sudo} so that the command @code{ifconfig}

contained in @file{qemu-ifup} can be executed as root. You must verify

that your host kernel supports the TAP network interfaces: the

device @file{/dev/net/tun} must be present.

See @ref{sec_invocation} to have examples of command lines using the

TAP network interfaces.

@subsubsection Windows host

There is a virtual ethernet driver for Windows 2000/XP systems, called

TAP-Win32. But it is not included in standard QEMU for Windows,

so you will need to get it separately. It is part of OpenVPN package,

so download OpenVPN from : @url{http://openvpn.net/}.

@subsection Using the user mode network stack

By using the option @option{-net user} (default configuration if no

@option{-net} option is specified), QEMU uses a completely user mode

network stack (you don't need root privilege to use the virtual

network). The virtual network configuration is the following:

@example

         QEMU VLAN      <------>  Firewall/DHCP server <-----> Internet

                           |          (10.0.2.2)

                           |

                           ---->  DNS server (10.0.2.3)

                           |

                           ---->  SMB server (10.0.2.4)

@end example

The QEMU VM behaves as if it was behind a firewall which blocks all

incoming connections. You can use a DHCP client to automatically

configure the network in the QEMU VM. The DHCP server assign addresses

to the hosts starting from 10.0.2.15.

In order to check that the user mode network is working, you can ping

the address 10.0.2.2 and verify that you got an address in the range

10.0.2.x from the QEMU virtual DHCP server.

Note that @code{ping} is not supported reliably to the internet as it

would require root privileges. It means you can only ping the local

router (10.0.2.2).

When using the built-in TFTP server, the router is also the TFTP

server.

When using the @option{-redir} option, TCP or UDP connections can be

redirected from the host to the guest. It allows for example to

redirect X11, telnet or SSH connections.

@subsection Connecting VLANs between QEMU instances

Using the @option{-net socket} option, it is possible to make VLANs

that span several QEMU instances. See @ref{sec_invocation} to have a

basic example.

@node direct_linux_boot

@section Direct Linux Boot

This section explains how to launch a Linux kernel inside QEMU without

having to make a full bootable image. It is very useful for fast Linux

kernel testing.

The syntax is:

@example

qemu -kernel arch/i386/boot/bzImage -hda root-2.4.20.img -append "root=/dev/hda"

@end example

Use @option{-kernel} to provide the Linux kernel image and

@option{-append} to give the kernel command line arguments. The

@option{-initrd} option can be used to provide an INITRD image.

When using the direct Linux boot, a disk image for the first hard disk

@file{hda} is required because its boot sector is used to launch the

Linux kernel.

If you do not need graphical output, you can disable it and redirect

the virtual serial port and the QEMU monitor to the console with the

@option{-nographic} option. The typical command line is:

@example

qemu -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \

     -append "root=/dev/hda console=ttyS0" -nographic

@end example

Use @key{Ctrl-a c} to switch between the serial console and the

monitor (@pxref{pcsys_keys}).

@node pcsys_usb

@section USB emulation

QEMU emulates a PCI UHCI USB controller. You can virtually plug

virtual USB devices or real host USB devices (experimental, works only

on Linux hosts).  Qemu will automatically create and connect virtual USB hubs

as necessary to connect multiple USB devices.

@menu

* usb_devices::

* host_usb_devices::

@end menu

@node usb_devices

@subsection Connecting USB devices

USB devices can be connected with the @option{-usbdevice} commandline option

or the @code{usb_add} monitor command.  Available devices are:

@table @code

@item mouse

Virtual Mouse.  This will override the PS/2 mouse emulation when activated.

@item tablet

Pointer device that uses absolute coordinates (like a touchscreen).

This means qemu is able to report the mouse position without having

to grab the mouse.  Also overrides the PS/2 mouse emulation when activated.

@item disk:@var{file}

Mass storage device based on @var{file} (@pxref{disk_images})

@item host:@var{bus.addr}

Pass through the host device identified by @var{bus.addr}

(Linux only)

@item host:@var{vendor_id:product_id}

Pass through the host device identified by @var{vendor_id:product_id}

(Linux only)

@item wacom-tablet

Virtual Wacom PenPartner tablet.  This device is similar to the @code{tablet}

above but it can be used with the tslib library because in addition to touch

coordinates it reports touch pressure.

@item keyboard

Standard USB keyboard.  Will override the PS/2 keyboard (if present).

@item serial:[vendorid=@var{vendor_id}][,product_id=@var{product_id}]:@var{dev}

Serial converter. This emulates an FTDI FT232BM chip connected to host character

device @var{dev}. The available character devices are the same as for the

@code{-serial} option. The @code{vendorid} and @code{productid} options can be

used to override the default 0403:6001. For instance, 

@example

usb_add serial:productid=FA00:tcp:192.168.0.2:4444

@end example

will connect to tcp port 4444 of ip 192.168.0.2, and plug that to the virtual

serial converter, faking a Matrix Orbital LCD Display (USB ID 0403:FA00).

@item braille

Braille device.  This will use BrlAPI to display the braille output on a real

or fake device.

@item net:@var{options}

Network adapter that supports CDC ethernet and RNDIS protocols.  @var{options}

specifies NIC options as with @code{-net nic,}@var{options} (see description).

For instance, user-mode networking can be used with

@example

qemu [...OPTIONS...] -net user,vlan=0 -usbdevice net:vlan=0

@end example

Currently this cannot be used in machines that support PCI NICs.

@item bt[:@var{hci-type}]

Bluetooth dongle whose type is specified in the same format as with

the @option{-bt hci} option, @pxref{bt-hcis,,allowed HCI types}.  If

no type is given, the HCI logic corresponds to @code{-bt hci,vlan=0}.

This USB device implements the USB Transport Layer of HCI.  Example

usage:

@example

qemu [...OPTIONS...] -usbdevice bt:hci,vlan=3 -bt device:keyboard,vlan=3

@end example

@end table

@node host_usb_devices

@subsection Using host USB devices on a Linux host

WARNING: this is an experimental feature. QEMU will slow down when

using it. USB devices requiring real time streaming (i.e. USB Video

Cameras) are not supported yet.

@enumerate

@item If you use an early Linux 2.4 kernel, verify that no Linux driver

is actually using the USB device. A simple way to do that is simply to

disable the corresponding kernel module by renaming it from @file{mydriver.o}

to @file{mydriver.o.disabled}.

@item Verify that @file{/proc/bus/usb} is working (most Linux distributions should enable it by default). You should see something like that:

@example

ls /proc/bus/usb

001  devices  drivers

@end example

@item Since only root can access to the USB devices directly, you can either launch QEMU as root or change the permissions of the USB devices you want to use. For testing, the following suffices:

@example

chown -R myuid /proc/bus/usb

@end example

@item Launch QEMU and do in the monitor:

@example

info usbhost

  Device 1.2, speed 480 Mb/s

    Class 00: USB device 1234:5678, USB DISK

@end example

You should see the list of the devices you can use (Never try to use

hubs, it won't work).

@item Add the device in QEMU by using:

@example

usb_add host:1234:5678

@end example

Normally the guest OS should report that a new USB device is

plugged. You can use the option @option{-usbdevice} to do the same.

@item Now you can try to use the host USB device in QEMU.

@end enumerate

When relaunching QEMU, you may have to unplug and plug again the USB

device to make it work again (this is a bug).

@node vnc_security

@section VNC security

The VNC server capability provides access to the graphical console

of the guest VM across the network. This has a number of security

considerations depending on the deployment scenarios.

@menu

* vnc_sec_none::

* vnc_sec_password::

* vnc_sec_certificate::

* vnc_sec_certificate_verify::

* vnc_sec_certificate_pw::

* vnc_sec_sasl::

* vnc_sec_certificate_sasl::

* vnc_generate_cert::

* vnc_setup_sasl::

@end menu

@node vnc_sec_none

@subsection Without passwords

The simplest VNC server setup does not include any form of authentication.

For this setup it is recommended to restrict it to listen on a UNIX domain

socket only. For example

@example

qemu [...OPTIONS...] -vnc unix:/home/joebloggs/.qemu-myvm-vnc

@end example

This ensures that only users on local box with read/write access to that

path can access the VNC server. To securely access the VNC server from a

remote machine, a combination of netcat+ssh can be used to provide a secure

tunnel.

@node vnc_sec_password

@subsection With passwords

The VNC protocol has limited support for password based authentication. Since

the protocol limits passwords to 8 characters it should not be considered

to provide high security. The password can be fairly easily brute-forced by

a client making repeat connections. For this reason, a VNC server using password

authentication should be restricted to only listen on the loopback interface

or UNIX domain sockets. Password authentication is requested with the @code{password}

option, and then once QEMU is running the password is set with the monitor. Until

the monitor is used to set the password all clients will be rejected.

@example

qemu [...OPTIONS...] -vnc :1,password -monitor stdio

(qemu) change vnc password

Password: ********

(qemu)

@end example

@node vnc_sec_certificate

@subsection With x509 certificates

The QEMU VNC server also implements the VeNCrypt extension allowing use of

TLS for encryption of the session, and x509 certificates for authentication.

The use of x509 certificates is strongly recommended, because TLS on its

own is susceptible to man-in-the-middle attacks. Basic x509 certificate

support provides a secure session, but no authentication. This allows any

client to connect, and provides an encrypted session.

@example

qemu [...OPTIONS...] -vnc :1,tls,x509=/etc/pki/qemu -monitor stdio

@end example

In the above example @code{/etc/pki/qemu} should contain at least three files,

@code{ca-cert.pem}, @code{server-cert.pem} and @code{server-key.pem}. Unprivileged

users will want to use a private directory, for example @code{$HOME/.pki/qemu}.

NB the @code{server-key.pem} file should be protected with file mode 0600 to

only be readable by the user owning it.

@node vnc_sec_certificate_verify

@subsection With x509 certificates and client verification

Certificates can also provide a means to authenticate the client connecting.

The server will request that the client provide a certificate, which it will

then validate against the CA certificate. This is a good choice if deploying

in an environment with a private internal certificate authority.

@example

qemu [...OPTIONS...] -vnc :1,tls,x509verify=/etc/pki/qemu -monitor stdio

@end example

@node vnc_sec_certificate_pw

@subsection With x509 certificates, client verification and passwords

Finally, the previous method can be combined with VNC password authentication

to provide two layers of authentication for clients.

@example

qemu [...OPTIONS...] -vnc :1,password,tls,x509verify=/etc/pki/qemu -monitor stdio

(qemu) change vnc password

Password: ********

(qemu)

@end example

@node vnc_sec_sasl

@subsection With SASL authentication

The SASL authentication method is a VNC extension, that provides an

easily extendable, pluggable authentication method. This allows for

integration with a wide range of authentication mechanisms, such as

PAM, GSSAPI/Kerberos, LDAP, SQL databases, one-time keys and more.

The strength of the authentication depends on the exact mechanism

configured. If the chosen mechanism also provides a SSF layer, then

it will encrypt the datastream as well.

Refer to the later docs on how to choose the exact SASL mechanism

used for authentication, but assuming use of one supporting SSF,

then QEMU can be launched with:

@example

qemu [...OPTIONS...] -vnc :1,sasl -monitor stdio

@end example

@node vnc_sec_certificate_sasl

@subsection With x509 certificates and SASL authentication

If the desired SASL authentication mechanism does not supported

SSF layers, then it is strongly advised to run it in combination

with TLS and x509 certificates. This provides securely encrypted

data stream, avoiding risk of compromising of the security

credentials. This can be enabled, by combining the 'sasl' option

with the aforementioned TLS + x509 options:

@example

qemu [...OPTIONS...] -vnc :1,tls,x509,sasl -monitor stdio

@end example

@node vnc_generate_cert

@subsection Generating certificates for VNC

The GNU TLS packages provides a command called @code{certtool} which can

be used to generate certificates and keys in PEM format. At a minimum it

is neccessary to setup a certificate authority, and issue certificates to

each server. If using certificates for authentication, then each client

will also need to be issued a certificate. The recommendation is for the

server to keep its certificates in either @code{/etc/pki/qemu} or for

unprivileged users in @code{$HOME/.pki/qemu}.

@menu

* vnc_generate_ca::

* vnc_generate_server::

* vnc_generate_client::

@end menu

@node vnc_generate_ca

@subsubsection Setup the Certificate Authority

This step only needs to be performed once per organization / organizational

unit. First the CA needs a private key. This key must be kept VERY secret

and secure. If this key is compromised the entire trust chain of the certificates

issued with it is lost.

@example

# certtool --generate-privkey > ca-key.pem

@end example

A CA needs to have a public certificate. For simplicity it can be a self-signed

certificate, or one issue by a commercial certificate issuing authority. To

generate a self-signed certificate requires one core piece of information, the

name of the organization.

@example

# cat > ca.info <<EOF

cn = Name of your organization

ca

cert_signing_key

EOF

# certtool --generate-self-signed \

           --load-privkey ca-key.pem

           --template ca.info \

           --outfile ca-cert.pem

@end example

The @code{ca-cert.pem} file should be copied to all servers and clients wishing to utilize

TLS support in the VNC server. The @code{ca-key.pem} must not be disclosed/copied at all.

@node vnc_generate_server

@subsubsection Issuing server certificates

Each server (or host) needs to be issued with a key and certificate. When connecting

the certificate is sent to the client which validates it against the CA certificate.

The core piece of information for a server certificate is the hostname. This should

be the fully qualified hostname that the client will connect with, since the client

will typically also verify the hostname in the certificate. On the host holding the

secure CA private key:

@example

# cat > server.info <<EOF

organization = Name  of your organization

cn = server.foo.example.com

tls_www_server

encryption_key

signing_key

EOF

# certtool --generate-privkey > server-key.pem

# certtool --generate-certificate \

           --load-ca-certificate ca-cert.pem \

           --load-ca-privkey ca-key.pem \

           --load-privkey server server-key.pem \

           --template server.info \

           --outfile server-cert.pem

@end example

The @code{server-key.pem} and @code{server-cert.pem} files should now be securely copied

to the server for which they were generated. The @code{server-key.pem} is security

sensitive and should be kept protected with file mode 0600 to prevent disclosure.

@node vnc_generate_client

@subsubsection Issuing client certificates

If the QEMU VNC server is to use the @code{x509verify} option to validate client

certificates as its authentication mechanism, each client also needs to be issued

a certificate. The client certificate contains enough metadata to uniquely identify

the client, typically organization, state, city, building, etc. On the host holding

the secure CA private key:

@example

# cat > client.info <<EOF

country = GB

state = London

locality = London

organiazation = Name of your organization

cn = client.foo.example.com

tls_www_client

encryption_key

signing_key

EOF

# certtool --generate-privkey > client-key.pem

# certtool --generate-certificate \

           --load-ca-certificate ca-cert.pem \

           --load-ca-privkey ca-key.pem \

           --load-privkey client-key.pem \

           --template client.info \

           --outfile client-cert.pem

@end example

The @code{client-key.pem} and @code{client-cert.pem} files should now be securely

copied to the client for which they were generated.

@node vnc_setup_sasl

@subsection Configuring SASL mechanisms

The following documentation assumes use of the Cyrus SASL implementation on a

Linux host, but the principals should apply to any other SASL impl. When SASL

is enabled, the mechanism configuration will be loaded from system default

SASL service config /etc/sasl2/qemu.conf. If running QEMU as an

unprivileged user, an environment variable SASL_CONF_PATH can be used

to make it search alternate locations for the service config.

The default configuration might contain

@example

mech_list: digest-md5

sasldb_path: /etc/qemu/passwd.db

@end example

This says to use the 'Digest MD5' mechanism, which is similar to the HTTP

Digest-MD5 mechanism. The list of valid usernames & passwords is maintained

in the /etc/qemu/passwd.db file, and can be updated using the saslpasswd2

command. While this mechanism is easy to configure and use, it is not

considered secure by modern standards, so only suitable for developers /

ad-hoc testing.

A more serious deployment might use Kerberos, which is done with the 'gssapi'

mechanism

@example

mech_list: gssapi

keytab: /etc/qemu/krb5.tab

@end example

For this to work the administrator of your KDC must generate a Kerberos

principal for the server, with a name of  'qemu/somehost.example.com@@EXAMPLE.COM'

replacing 'somehost.example.com' with the fully qualified host name of the

machine running QEMU, and 'EXAMPLE.COM' with the Keberos Realm.

Other configurations will be left as an exercise for the reader. It should

be noted that only Digest-MD5 and GSSAPI provides a SSF layer for data

encryption. For all other mechanisms, VNC should always be configured to

use TLS and x509 certificates to protect security credentials from snooping.

@node gdb_usage

@section GDB usage

QEMU has a primitive support to work with gdb, so that you can do

'Ctrl-C' while the virtual machine is running and inspect its state.

In order to use gdb, launch qemu with the '-s' option. It will wait for a

gdb connection:

@example

> qemu -s -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \

       -append "root=/dev/hda"

Connected to host network interface: tun0

Waiting gdb connection on port 1234

@end example

Then launch gdb on the 'vmlinux' executable:

@example

> gdb vmlinux

@end example

In gdb, connect to QEMU:

@example

(gdb) target remote localhost:1234

@end example

Then you can use gdb normally. For example, type 'c' to launch the kernel:

@example

(gdb) c

@end example

Here are some useful tips in order to use gdb on system code:

@enumerate

@item

Use @code{info reg} to display all the CPU registers.

@item

Use @code{x/10i $eip} to display the code at the PC position.

@item

Use @code{set architecture i8086} to dump 16 bit code. Then use

@code{x/10i $cs*16+$eip} to dump the code at the PC position.

@end enumerate

Advanced debugging options:

The default single stepping behavior is step with the IRQs and timer service routines off.  It is set this way because when gdb executes a single step it expects to advance beyond the current instruction.  With the IRQs and and timer service routines on, a single step might jump into the one of the interrupt or exception vectors instead of executing the current instruction. This means you may hit the same breakpoint a number of times before executing the instruction gdb wants to have executed.  Because there are rare circumstances where you want to single step into an interrupt vector the behavior can be controlled from GDB.  There are three commands you can query and set the single step behavior:

@table @code

@item maintenance packet qqemu.sstepbits

This will display the MASK bits used to control the single stepping IE:

@example

(gdb) maintenance packet qqemu.sstepbits

sending: "qqemu.sstepbits"

received: "ENABLE=1,NOIRQ=2,NOTIMER=4"

@end example

@item maintenance packet qqemu.sstep

This will display the current value of the mask used when single stepping IE:

@example

(gdb) maintenance packet qqemu.sstep

sending: "qqemu.sstep"

received: "0x7"

@end example

@item maintenance packet Qqemu.sstep=HEX_VALUE

This will change the single step mask, so if wanted to enable IRQs on the single step, but not timers, you would use:

@example

(gdb) maintenance packet Qqemu.sstep=0x5

sending: "qemu.sstep=0x5"

received: "OK"

@end example

@end table

@node pcsys_os_specific

@section Target OS specific information

@subsection Linux

To have access to SVGA graphic modes under X11, use the @code{vesa} or

the @code{cirrus} X11 driver. For optimal performances, use 16 bit

color depth in the guest and the host OS.

When using a 2.6 guest Linux kernel, you should add the option

@code{clock=pit} on the kernel command line because the 2.6 Linux

kernels make very strict real time clock checks by default that QEMU

cannot simulate exactly.

When using a 2.6 guest Linux kernel, verify that the 4G/4G patch is

not activated because QEMU is slower with this patch. The QEMU

Accelerator Module is also much slower in this case. Earlier Fedora

Core 3 Linux kernel (< 2.6.9-1.724_FC3) were known to incorporate this

patch by default. Newer kernels don't have it.

@subsection Windows

If you have a slow host, using Windows 95 is better as it gives the

best speed. Windows 2000 is also a good choice.

@subsubsection SVGA graphic modes support

QEMU emulates a Cirrus Logic GD5446 Video

card. All Windows versions starting from Windows 95 should recognize

and use this graphic card. For optimal performances, use 16 bit color

depth in the guest and the host OS.

If you are using Windows XP as guest OS and if you want to use high

resolution modes which the Cirrus Logic BIOS does not support (i.e. >=

1280x1024x16), then you should use the VESA VBE virtual graphic card

(option @option{-std-vga}).

@subsubsection CPU usage reduction

Windows 9x does not correctly use the CPU HLT

instruction. The result is that it takes host CPU cycles even when

idle. You can install the utility from

@url{http://www.user.cityline.ru/~maxamn/amnhltm.zip} to solve this

problem. Note that no such tool is needed for NT, 2000 or XP.

@subsubsection Windows 2000 disk full problem

Windows 2000 has a bug which gives a disk full problem during its

installation. When installing it, use the @option{-win2k-hack} QEMU

option to enable a specific workaround. After Windows 2000 is

installed, you no longer need this option (this option slows down the

IDE transfers).

@subsubsection Windows 2000 shutdown

Windows 2000 cannot automatically shutdown in QEMU although Windows 98

can. It comes from the fact that Windows 2000 does not automatically

use the APM driver provided by the BIOS.

In order to correct that, do the following (thanks to Struan

Bartlett): go to the Control Panel => Add/Remove Hardware & Next =>

Add/Troubleshoot a device => Add a new device & Next => No, select the

hardware from a list & Next => NT Apm/Legacy Support & Next => Next

(again) a few times. Now the driver is installed and Windows 2000 now

correctly instructs QEMU to shutdown at the appropriate moment.

@subsubsection Share a directory between Unix and Windows

See @ref{sec_invocation} about the help of the option @option{-smb}.

@subsubsection Windows XP security problem

Some releases of Windows XP install correctly but give a security

error when booting:

@example

A problem is preventing Windows from accurately checking the

license for this computer. Error code: 0x800703e6.

@end example

The workaround is to install a service pack for XP after a boot in safe

mode. Then reboot, and the problem should go away. Since there is no

network while in safe mode, its recommended to download the full

installation of SP1 or SP2 and transfer that via an ISO or using the

vvfat block device ("-hdb fat:directory_which_holds_the_SP").

@subsection MS-DOS and FreeDOS

@subsubsection CPU usage reduction

DOS does not correctly use the CPU HLT instruction. The result is that

it takes host CPU cycles even when idle. You can install the utility

from @url{http://www.vmware.com/software/dosidle210.zip} to solve this

problem.

@node QEMU System emulator for non PC targets

@chapter QEMU System emulator for non PC targets

QEMU is a generic emulator and it emulates many non PC

machines. Most of the options are similar to the PC emulator. The

differences are mentioned in the following sections.

@menu

* QEMU PowerPC System emulator::

* Sparc32 System emulator::

* Sparc64 System emulator::

* MIPS System emulator::

* ARM System emulator::

* ColdFire System emulator::

@end menu

@node QEMU PowerPC System emulator

@section QEMU PowerPC System emulator

Use the executable @file{qemu-system-ppc} to simulate a complete PREP

or PowerMac PowerPC system.

QEMU emulates the following PowerMac peripherals:

@itemize @minus

@item

UniNorth or Grackle PCI Bridge

@item

PCI VGA compatible card with VESA Bochs Extensions

@item

2 PMAC IDE interfaces with hard disk and CD-ROM support

@item

NE2000 PCI adapters

@item

Non Volatile RAM

@item

VIA-CUDA with ADB keyboard and mouse.

@end itemize

QEMU emulates the following PREP peripherals:

@itemize @minus

@item

PCI Bridge

@item

PCI VGA compatible card with VESA Bochs Extensions

@item

2 IDE interfaces with hard disk and CD-ROM support

@item

Floppy disk

@item

NE2000 network adapters

@item

Serial port

@item

PREP Non Volatile RAM

@item

PC compatible keyboard and mouse.

@end itemize

QEMU uses the Open Hack'Ware Open Firmware Compatible BIOS available at

@url{http://perso.magic.fr/l_indien/OpenHackWare/index.htm}.

Since version 0.9.1, QEMU uses OpenBIOS @url{http://www.openbios.org/}

for the g3beige and mac99 PowerMac machines. OpenBIOS is a free (GPL

v2) portable firmware implementation. The goal is to implement a 100%

IEEE 1275-1994 (referred to as Open Firmware) compliant firmware.

@c man begin OPTIONS

The following options are specific to the PowerPC emulation:

@table @option

@item -g @var{W}x@var{H}[x@var{DEPTH}]

Set the initial VGA graphic mode. The default is 800x600x15.

@item -prom-env @var{string}

Set OpenBIOS variables in NVRAM, for example:

@example

qemu-system-ppc -prom-env 'auto-boot?=false' \

 -prom-env 'boot-device=hd:2,\yaboot' \

 -prom-env 'boot-args=conf=hd:2,\yaboot.conf'

@end example

These variables are not used by Open Hack'Ware.

@end table

@c man end

More information is available at

@url{http://perso.magic.fr/l_indien/qemu-ppc/}.

@node Sparc32 System emulator

@section Sparc32 System emulator

Use the executable @file{qemu-system-sparc} to simulate the following

Sun4m architecture machines:

@itemize @minus

@item

SPARCstation 4

@item

SPARCstation 5

@item

SPARCstation 10

@item

SPARCstation 20

@item

SPARCserver 600MP

@item

SPARCstation LX

@item

SPARCstation Voyager

@item

SPARCclassic

@item

SPARCbook

@end itemize

The emulation is somewhat complete. SMP up to 16 CPUs is supported,

but Linux limits the number of usable CPUs to 4.

It's also possible to simulate a SPARCstation 2 (sun4c architecture),

SPARCserver 1000, or SPARCcenter 2000 (sun4d architecture), but these

emulators are not usable yet.

QEMU emulates the following sun4m/sun4c/sun4d peripherals:

@itemize @minus

@item

IOMMU or IO-UNITs

@item

TCX Frame buffer

@item

Lance (Am7990) Ethernet

@item

Non Volatile RAM M48T02/M48T08

@item

Slave I/O: timers, interrupt controllers, Zilog serial ports, keyboard

and power/reset logic

@item

ESP SCSI controller with hard disk and CD-ROM support

@item

Floppy drive (not on SS-600MP)

@item

CS4231 sound device (only on SS-5, not working yet)

@end itemize

The number of peripherals is fixed in the architecture.  Maximum

memory size depends on the machine type, for SS-5 it is 256MB and for

others 2047MB.

Since version 0.8.2, QEMU uses OpenBIOS

@url{http://www.openbios.org/}. OpenBIOS is a free (GPL v2) portable

firmware implementation. The goal is to implement a 100% IEEE

1275-1994 (referred to as Open Firmware) compliant firmware.

A sample Linux 2.6 series kernel and ram disk image are available on

the QEMU web site. There are still issues with NetBSD and OpenBSD, but

some kernel versions work. Please note that currently Solaris kernels

don't work probably due to interface issues between OpenBIOS and

Solaris.

@c man begin OPTIONS

The following options are specific to the Sparc32 emulation:

@table @option

@item -g @var{W}x@var{H}x[x@var{DEPTH}]

Set the initial TCX graphic mode. The default is 1024x768x8, currently

the only other possible mode is 1024x768x24.

@item -prom-env @var{string}

Set OpenBIOS variables in NVRAM, for example:

@example

qemu-system-sparc -prom-env 'auto-boot?=false' \

 -prom-env 'boot-device=sd(0,2,0):d' -prom-env 'boot-args=linux single'

@end example

@item -M [SS-4|SS-5|SS-10|SS-20|SS-600MP|LX|Voyager|SPARCClassic|SPARCbook|SS-2|SS-1000|SS-2000]

Set the emulated machine type. Default is SS-5.

@end table

@c man end

@node Sparc64 System emulator

@section Sparc64 System emulator

Use the executable @file{qemu-system-sparc64} to simulate a Sun4u

(UltraSPARC PC-like machine), Sun4v (T1 PC-like machine), or generic

Niagara (T1) machine. The emulator is not usable for anything yet, but

it can launch some kernels.

QEMU emulates the following peripherals:

@itemize @minus

@item

UltraSparc IIi APB PCI Bridge

@item

PCI VGA compatible card with VESA Bochs Extensions

@item

PS/2 mouse and keyboard

@item

Non Volatile RAM M48T59

@item

PC-compatible serial ports

@item

2 PCI IDE interfaces with hard disk and CD-ROM support

@item

Floppy disk

@end itemize

@c man begin OPTIONS

The following options are specific to the Sparc64 emulation:

@table @option

@item -prom-env @var{string}

Set OpenBIOS variables in NVRAM, for example:

@example

qemu-system-sparc64 -prom-env 'auto-boot?=false'

@end example

@item -M [sun4u|sun4v|Niagara]

Set the emulated machine type. The default is sun4u.

@end table

@c man end

@node MIPS System emulator

@section MIPS System emulator

Four executables cover simulation of 32 and 64-bit MIPS systems in

both endian options, @file{qemu-system-mips}, @file{qemu-system-mipsel}

@file{qemu-system-mips64} and @file{qemu-system-mips64el}.

Five different machine types are emulated:

@itemize @minus

@item

A generic ISA PC-like machine "mips"

@item

The MIPS Malta prototype board "malta"

@item

An ACER Pica "pica61". This machine needs the 64-bit emulator.

@item

MIPS emulator pseudo board "mipssim"

@item

A MIPS Magnum R4000 machine "magnum". This machine needs the 64-bit emulator.

@end itemize

The generic emulation is supported by Debian 'Etch' and is able to

install Debian into a virtual disk image. The following devices are

emulated:

@itemize @minus

@item

A range of MIPS CPUs, default is the 24Kf

@item

PC style serial port

@item

PC style IDE disk

@item

NE2000 network card

@end itemize

The Malta emulation supports the following devices:

@itemize @minus

@item

Core board with MIPS 24Kf CPU and Galileo system controller

@item

PIIX4 PCI/USB/SMbus controller

@item

The Multi-I/O chip's serial device

@item

PCI network cards (PCnet32 and others)

@item

Malta FPGA serial device

@item

Cirrus (default) or any other PCI VGA graphics card

@end itemize

The ACER Pica emulation supports:

@itemize @minus

@item

MIPS R4000 CPU

@item

PC-style IRQ and DMA controllers

@item