Archipelago » qemu

\input texinfo @c -*- texinfo -*-

@c %**start of header

@setfilename qemu-doc.info

@settitle QEMU CPU Emulator User Documentation

@exampleindent 0

@paragraphindent 0

@c %**end of header

@iftex

@titlepage

@sp 7

@center @titlefont{QEMU CPU Emulator}

@sp 1

@center @titlefont{User Documentation}

@sp 3

@end titlepage

@end iftex

@ifnottex

@node Top

@top

@menu

* Introduction::

* Installation::

* QEMU PC System emulator::

* QEMU System emulator for non PC targets::

* QEMU Linux User space emulator::

* compilation:: Compilation from the sources

* Index::

@end menu

@end ifnottex

@contents

@node Introduction

@chapter Introduction

@menu

* intro_features:: Features

@end menu

@node intro_features

@section Features

QEMU is a FAST! processor emulator using dynamic translation to

achieve good emulation speed.

QEMU has two operating modes:

@itemize @minus

@item 

Full system emulation. In this mode, QEMU emulates a full system (for

example a PC), including one or several processors and various

peripherals. It can be used to launch different Operating Systems

without rebooting the PC or to debug system code.

@item 

User mode emulation (Linux host only). In this mode, QEMU can launch

Linux processes compiled for one CPU on another CPU. It can be used to

launch the Wine Windows API emulator (@url{http://www.winehq.org}) or

to ease cross-compilation and cross-debugging.

@end itemize

QEMU can run without an host kernel driver and yet gives acceptable

performance. 

For system emulation, the following hardware targets are supported:

@itemize

@item PC (x86 or x86_64 processor)

@item ISA PC (old style PC without PCI bus)

@item PREP (PowerPC processor)

@item G3 BW PowerMac (PowerPC processor)

@item Mac99 PowerMac (PowerPC processor, in progress)

@item Sun4m (32-bit Sparc processor)

@item Sun4u (64-bit Sparc processor, in progress)

@item Malta board (32-bit MIPS processor)

@item ARM Integrator/CP (ARM926E or 1026E processor)

@item ARM Versatile baseboard (ARM926E)

@end itemize

For user emulation, x86, PowerPC, ARM, MIPS, and Sparc32/64 CPUs are supported.

@node Installation

@chapter Installation

If you want to compile QEMU yourself, see @ref{compilation}.

@menu

* install_linux::   Linux

* install_windows:: Windows

* install_mac::     Macintosh

@end menu

@node install_linux

@section Linux

If a precompiled package is available for your distribution - you just

have to install it. Otherwise, see @ref{compilation}.

@node install_windows

@section Windows

Download the experimental binary installer at

@url{http://www.free.oszoo.org/@/download.html}.

@node install_mac

@section Mac OS X

Download the experimental binary installer at

@url{http://www.free.oszoo.org/@/download.html}.

@node QEMU PC System emulator

@chapter QEMU PC System emulator

@menu

* pcsys_introduction:: Introduction

* pcsys_quickstart::   Quick Start

* sec_invocation::     Invocation

* pcsys_keys::         Keys

* pcsys_monitor::      QEMU Monitor

* disk_images::        Disk Images

* pcsys_network::      Network emulation

* direct_linux_boot::  Direct Linux Boot

* pcsys_usb::          USB emulation

* gdb_usage::          GDB usage

* pcsys_os_specific::  Target OS specific information

@end menu

@node pcsys_introduction

@section Introduction

@c man begin DESCRIPTION

The QEMU PC System emulator simulates the

following peripherals:

@itemize @minus

@item 

i440FX host PCI bridge and PIIX3 PCI to ISA bridge

@item

Cirrus CLGD 5446 PCI VGA card or dummy VGA card with Bochs VESA

extensions (hardware level, including all non standard modes).

@item

PS/2 mouse and keyboard

@item 

2 PCI IDE interfaces with hard disk and CD-ROM support

@item

Floppy disk

@item 

NE2000 PCI network adapters

@item

Serial ports

@item

Creative SoundBlaster 16 sound card

@item

ENSONIQ AudioPCI ES1370 sound card

@item

Adlib(OPL2) - Yamaha YM3812 compatible chip

@item

PCI UHCI USB controller and a virtual USB hub.

@end itemize

SMP is supported with up to 255 CPUs.

Note that adlib is only available when QEMU was configured with

-enable-adlib

QEMU uses the PC BIOS from the Bochs project and the Plex86/Bochs LGPL

VGA BIOS.

QEMU uses YM3812 emulation by Tatsuyuki Satoh.

@c man end

@node pcsys_quickstart

@section Quick Start

Download and uncompress the linux image (@file{linux.img}) and type:

@example

qemu linux.img

@end example

Linux should boot and give you a prompt.

@node sec_invocation

@section Invocation

@example

@c man begin SYNOPSIS

usage: qemu [options] [disk_image]

@c man end

@end example

@c man begin OPTIONS

@var{disk_image} is a raw hard disk image for IDE hard disk 0.

General options:

@table @option

@item -M machine

Select the emulated machine (@code{-M ?} for list)

@item -fda file

@item -fdb file

Use @var{file} as floppy disk 0/1 image (@pxref{disk_images}). You can

use the host floppy by using @file{/dev/fd0} as filename.

@item -hda file

@item -hdb file

@item -hdc file

@item -hdd file

Use @var{file} as hard disk 0, 1, 2 or 3 image (@pxref{disk_images}).

@item -cdrom file

Use @var{file} as CD-ROM image (you cannot use @option{-hdc} and and

@option{-cdrom} at the same time). You can use the host CD-ROM by

using @file{/dev/cdrom} as filename.

@item -boot [a|c|d]

Boot on floppy (a), hard disk (c) or CD-ROM (d). Hard disk boot is

the default.

@item -snapshot

Write to temporary files instead of disk image files. In this case,

the raw disk image you use is not written back. You can however force

the write back by pressing @key{C-a s} (@pxref{disk_images}). 

@item -no-fd-bootchk

Disable boot signature checking for floppy disks in Bochs BIOS. It may

be needed to boot from old floppy disks.

@item -m megs

Set virtual RAM size to @var{megs} megabytes. Default is 128 MB.

@item -smp n

Simulate an SMP system with @var{n} CPUs. On the PC target, up to 255

CPUs are supported.

@item -nographic

Normally, QEMU uses SDL to display the VGA output. With this option,

you can totally disable graphical output so that QEMU is a simple

command line application. The emulated serial port is redirected on

the console. Therefore, you can still use QEMU to debug a Linux kernel

with a serial console.

@item -vnc d

Normally, QEMU uses SDL to display the VGA output.  With this option,

you can have QEMU listen on VNC display d and redirect the VGA display

over the VNC session.  It is very useful to enable the usb tablet device

when using this option (option @option{-usbdevice tablet}).

@item -k language

Use keyboard layout @var{language} (for example @code{fr} for

French). This option is only needed where it is not easy to get raw PC

keycodes (e.g. on Macs or with some X11 servers). You don't need to

use it on PC/Linux or PC/Windows hosts.

The available layouts are:

@example

ar  de-ch  es  fo     fr-ca  hu  ja  mk     no  pt-br  sv

da  en-gb  et  fr     fr-ch  is  lt  nl     pl  ru     th

de  en-us  fi  fr-be  hr     it  lv  nl-be  pt  sl     tr

@end example

The default is @code{en-us}.

@item -audio-help

Will show the audio subsystem help: list of drivers, tunable

parameters.

@item -soundhw card1,card2,... or -soundhw all

Enable audio and selected sound hardware. Use ? to print all

available sound hardware.

@example

qemu -soundhw sb16,adlib hda

qemu -soundhw es1370 hda

qemu -soundhw all hda

qemu -soundhw ?

@end example

@item -localtime

Set the real time clock to local time (the default is to UTC

time). This option is needed to have correct date in MS-DOS or

Windows.

@item -full-screen

Start in full screen.

@item -pidfile file

Store the QEMU process PID in @var{file}. It is useful if you launch QEMU

from a script.

@item -win2k-hack

Use it when installing Windows 2000 to avoid a disk full bug. After

Windows 2000 is installed, you no longer need this option (this option

slows down the IDE transfers).

@end table

USB options:

@table @option

@item -usb

Enable the USB driver (will be the default soon)

@item -usbdevice devname

Add the USB device @var{devname}. @xref{usb_devices}.

@end table

Network options:

@table @option

@item -net nic[,vlan=n][,macaddr=addr][,model=type]

Create a new Network Interface Card and connect it to VLAN @var{n} (@var{n}

= 0 is the default). The NIC is currently an NE2000 on the PC

target. Optionally, the MAC address can be changed. If no

@option{-net} option is specified, a single NIC is created.

Qemu can emulate several different models of network card.  Valid values for

@var{type} are @code{ne2k_pci}, @code{ne2k_isa}, @code{rtl8139},

@code{smc91c111} and @code{lance}.  Not all devices are supported on all

targets.

@item -net user[,vlan=n][,hostname=name]

Use the user mode network stack which requires no administrator

priviledge to run.  @option{hostname=name} can be used to specify the client

hostname reported by the builtin DHCP server.

@item -net tap[,vlan=n][,fd=h][,ifname=name][,script=file]

Connect the host TAP network interface @var{name} to VLAN @var{n} and

use the network script @var{file} to configure it. The default

network script is @file{/etc/qemu-ifup}. If @var{name} is not

provided, the OS automatically provides one.  @option{fd=h} can be

used to specify the handle of an already opened host TAP interface. Example:

@example

qemu linux.img -net nic -net tap

@end example

More complicated example (two NICs, each one connected to a TAP device)

@example

qemu linux.img -net nic,vlan=0 -net tap,vlan=0,ifname=tap0 \

               -net nic,vlan=1 -net tap,vlan=1,ifname=tap1

@end example

@item -net socket[,vlan=n][,fd=h][,listen=[host]:port][,connect=host:port]

Connect the VLAN @var{n} to a remote VLAN in another QEMU virtual

machine using a TCP socket connection. If @option{listen} is

specified, QEMU waits for incoming connections on @var{port}

(@var{host} is optional). @option{connect} is used to connect to

another QEMU instance using the @option{listen} option. @option{fd=h}

specifies an already opened TCP socket.

Example:

@example

# launch a first QEMU instance

qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \

               -net socket,listen=:1234

# connect the VLAN 0 of this instance to the VLAN 0

# of the first instance

qemu linux.img -net nic,macaddr=52:54:00:12:34:57 \

               -net socket,connect=127.0.0.1:1234

@end example

@item -net socket[,vlan=n][,fd=h][,mcast=maddr:port]

Create a VLAN @var{n} shared with another QEMU virtual

machines using a UDP multicast socket, effectively making a bus for 

every QEMU with same multicast address @var{maddr} and @var{port}.

NOTES:

@enumerate

@item 

Several QEMU can be running on different hosts and share same bus (assuming 

correct multicast setup for these hosts).

@item

mcast support is compatible with User Mode Linux (argument @option{eth@var{N}=mcast}), see

@url{http://user-mode-linux.sf.net}.

@item Use @option{fd=h} to specify an already opened UDP multicast socket.

@end enumerate

Example:

@example

# launch one QEMU instance

qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \

               -net socket,mcast=230.0.0.1:1234

# launch another QEMU instance on same "bus"

qemu linux.img -net nic,macaddr=52:54:00:12:34:57 \

               -net socket,mcast=230.0.0.1:1234

# launch yet another QEMU instance on same "bus"

qemu linux.img -net nic,macaddr=52:54:00:12:34:58 \

               -net socket,mcast=230.0.0.1:1234

@end example

Example (User Mode Linux compat.):

@example

# launch QEMU instance (note mcast address selected

# is UML's default)

qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \

               -net socket,mcast=239.192.168.1:1102

# launch UML

/path/to/linux ubd0=/path/to/root_fs eth0=mcast

@end example

@item -net none

Indicate that no network devices should be configured. It is used to

override the default configuration (@option{-net nic -net user}) which

is activated if no @option{-net} options are provided.

@item -tftp prefix

When using the user mode network stack, activate a built-in TFTP

server. All filenames beginning with @var{prefix} can be downloaded

from the host to the guest using a TFTP client. The TFTP client on the

guest must be configured in binary mode (use the command @code{bin} of

the Unix TFTP client). The host IP address on the guest is as usual

10.0.2.2.

@item -smb dir

When using the user mode network stack, activate a built-in SMB

server so that Windows OSes can access to the host files in @file{dir}

transparently.

In the guest Windows OS, the line:

@example

10.0.2.4 smbserver

@end example

must be added in the file @file{C:\WINDOWS\LMHOSTS} (for windows 9x/Me)

or @file{C:\WINNT\SYSTEM32\DRIVERS\ETC\LMHOSTS} (Windows NT/2000).

Then @file{dir} can be accessed in @file{\\smbserver\qemu}.

Note that a SAMBA server must be installed on the host OS in

@file{/usr/sbin/smbd}. QEMU was tested succesfully with smbd version

2.2.7a from the Red Hat 9 and version 3.0.10-1.fc3 from Fedora Core 3.

@item -redir [tcp|udp]:host-port:[guest-host]:guest-port

When using the user mode network stack, redirect incoming TCP or UDP

connections to the host port @var{host-port} to the guest

@var{guest-host} on guest port @var{guest-port}. If @var{guest-host}

is not specified, its value is 10.0.2.15 (default address given by the

built-in DHCP server).

For example, to redirect host X11 connection from screen 1 to guest

screen 0, use the following:

@example

# on the host

qemu -redir tcp:6001::6000 [...]

# this host xterm should open in the guest X11 server

xterm -display :1

@end example

To redirect telnet connections from host port 5555 to telnet port on

the guest, use the following:

@example

# on the host

qemu -redir tcp:5555::23 [...]

telnet localhost 5555

@end example

Then when you use on the host @code{telnet localhost 5555}, you

connect to the guest telnet server.

@end table

Linux boot specific: When using these options, you can use a given

Linux kernel without installing it in the disk image. It can be useful

for easier testing of various kernels.

@table @option

@item -kernel bzImage 

Use @var{bzImage} as kernel image.

@item -append cmdline 

Use @var{cmdline} as kernel command line

@item -initrd file

Use @var{file} as initial ram disk.

@end table

Debug/Expert options:

@table @option

@item -serial dev

Redirect the virtual serial port to host device @var{dev}. Available

devices are:

@table @code

@item vc

Virtual console

@item pty

[Linux only] Pseudo TTY (a new PTY is automatically allocated)

@item null

void device

@item /dev/XXX

[Linux only] Use host tty, e.g. @file{/dev/ttyS0}. The host serial port

parameters are set according to the emulated ones.

@item /dev/parportN

[Linux only, parallel port only] Use host parallel port

@var{N}. Currently only SPP parallel port features can be used.

@item file:filename

Write output to filename. No character can be read.

@item stdio

[Unix only] standard input/output

@item pipe:filename

[Unix only] name pipe @var{filename}

@end table

The default device is @code{vc} in graphical mode and @code{stdio} in

non graphical mode.

This option can be used several times to simulate up to 4 serials

ports.

@item -parallel dev

Redirect the virtual parallel port to host device @var{dev} (same

devices as the serial port). On Linux hosts, @file{/dev/parportN} can

be used to use hardware devices connected on the corresponding host

parallel port.

This option can be used several times to simulate up to 3 parallel

ports.

@item -monitor dev

Redirect the monitor to host device @var{dev} (same devices as the

serial port).

The default device is @code{vc} in graphical mode and @code{stdio} in

non graphical mode.

@item -s

Wait gdb connection to port 1234 (@pxref{gdb_usage}). 

@item -p port

Change gdb connection port.

@item -S

Do not start CPU at startup (you must type 'c' in the monitor).

@item -d             

Output log in /tmp/qemu.log

@item -hdachs c,h,s,[,t]

Force hard disk 0 physical geometry (1 <= @var{c} <= 16383, 1 <=

@var{h} <= 16, 1 <= @var{s} <= 63) and optionally force the BIOS

translation mode (@var{t}=none, lba or auto). Usually QEMU can guess

all thoses parameters. This option is useful for old MS-DOS disk

images.

@item -std-vga

Simulate a standard VGA card with Bochs VBE extensions (default is

Cirrus Logic GD5446 PCI VGA)

@item -loadvm file

Start right away with a saved state (@code{loadvm} in monitor)

@end table

@c man end

@node pcsys_keys

@section Keys

@c man begin OPTIONS

During the graphical emulation, you can use the following keys:

@table @key

@item Ctrl-Alt-f

Toggle full screen

@item Ctrl-Alt-n

Switch to virtual console 'n'. Standard console mappings are:

@table @emph

@item 1

Target system display

@item 2

Monitor

@item 3

Serial port

@end table

@item Ctrl-Alt

Toggle mouse and keyboard grab.

@end table

In the virtual consoles, you can use @key{Ctrl-Up}, @key{Ctrl-Down},

@key{Ctrl-PageUp} and @key{Ctrl-PageDown} to move in the back log.

During emulation, if you are using the @option{-nographic} option, use

@key{Ctrl-a h} to get terminal commands:

@table @key

@item Ctrl-a h

Print this help

@item Ctrl-a x    

Exit emulatior

@item Ctrl-a s    

Save disk data back to file (if -snapshot)

@item Ctrl-a b

Send break (magic sysrq in Linux)

@item Ctrl-a c

Switch between console and monitor

@item Ctrl-a Ctrl-a

Send Ctrl-a

@end table

@c man end

@ignore

@c man begin SEEALSO

The HTML documentation of QEMU for more precise information and Linux

user mode emulator invocation.

@c man end

@c man begin AUTHOR

Fabrice Bellard

@c man end

@end ignore

@node pcsys_monitor

@section QEMU Monitor

The QEMU monitor is used to give complex commands to the QEMU

emulator. You can use it to:

@itemize @minus

@item

Remove or insert removable medias images

(such as CD-ROM or floppies)

@item 

Freeze/unfreeze the Virtual Machine (VM) and save or restore its state

from a disk file.

@item Inspect the VM state without an external debugger.

@end itemize

@subsection Commands

The following commands are available:

@table @option

@item help or ? [cmd]

Show the help for all commands or just for command @var{cmd}.

@item commit  

Commit changes to the disk images (if -snapshot is used)

@item info subcommand 

show various information about the system state

@table @option

@item info network

show the various VLANs and the associated devices

@item info block

show the block devices

@item info registers

show the cpu registers

@item info history

show the command line history

@item info pci

show emulated PCI device

@item info usb

show USB devices plugged on the virtual USB hub

@item info usbhost

show all USB host devices

@end table

@item q or quit

Quit the emulator.

@item eject [-f] device

Eject a removable media (use -f to force it).

@item change device filename

Change a removable media.

@item screendump filename

Save screen into PPM image @var{filename}.

@item log item1[,...]

Activate logging of the specified items to @file{/tmp/qemu.log}.

@item savevm filename

Save the whole virtual machine state to @var{filename}.

@item loadvm filename

Restore the whole virtual machine state from @var{filename}.

@item stop

Stop emulation.

@item c or cont

Resume emulation.

@item gdbserver [port]

Start gdbserver session (default port=1234)

@item x/fmt addr

Virtual memory dump starting at @var{addr}.

@item xp /fmt addr

Physical memory dump starting at @var{addr}.

@var{fmt} is a format which tells the command how to format the

data. Its syntax is: @option{/@{count@}@{format@}@{size@}}

@table @var

@item count 

is the number of items to be dumped.

@item format

can be x (hexa), d (signed decimal), u (unsigned decimal), o (octal),

c (char) or i (asm instruction).

@item size

can be b (8 bits), h (16 bits), w (32 bits) or g (64 bits). On x86,

@code{h} or @code{w} can be specified with the @code{i} format to

respectively select 16 or 32 bit code instruction size.

@end table

Examples: 

@itemize

@item

Dump 10 instructions at the current instruction pointer:

@example 

(qemu) x/10i $eip

0x90107063:  ret

0x90107064:  sti

0x90107065:  lea    0x0(%esi,1),%esi

0x90107069:  lea    0x0(%edi,1),%edi

0x90107070:  ret

0x90107071:  jmp    0x90107080

0x90107073:  nop

0x90107074:  nop

0x90107075:  nop

0x90107076:  nop

@end example

@item

Dump 80 16 bit values at the start of the video memory.

@smallexample 

(qemu) xp/80hx 0xb8000

0x000b8000: 0x0b50 0x0b6c 0x0b65 0x0b78 0x0b38 0x0b36 0x0b2f 0x0b42

0x000b8010: 0x0b6f 0x0b63 0x0b68 0x0b73 0x0b20 0x0b56 0x0b47 0x0b41

0x000b8020: 0x0b42 0x0b69 0x0b6f 0x0b73 0x0b20 0x0b63 0x0b75 0x0b72

0x000b8030: 0x0b72 0x0b65 0x0b6e 0x0b74 0x0b2d 0x0b63 0x0b76 0x0b73

0x000b8040: 0x0b20 0x0b30 0x0b35 0x0b20 0x0b4e 0x0b6f 0x0b76 0x0b20

0x000b8050: 0x0b32 0x0b30 0x0b30 0x0b33 0x0720 0x0720 0x0720 0x0720

0x000b8060: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720

0x000b8070: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720

0x000b8080: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720

0x000b8090: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720

@end smallexample

@end itemize

@item p or print/fmt expr

Print expression value. Only the @var{format} part of @var{fmt} is

used.

@item sendkey keys

Send @var{keys} to the emulator. Use @code{-} to press several keys

simultaneously. Example:

@example

sendkey ctrl-alt-f1

@end example

This command is useful to send keys that your graphical user interface

intercepts at low level, such as @code{ctrl-alt-f1} in X Window.

@item system_reset

Reset the system.

@item usb_add devname

Add the USB device @var{devname}.  For details of available devices see

@ref{usb_devices}

@item usb_del devname

Remove the USB device @var{devname} from the QEMU virtual USB

hub. @var{devname} has the syntax @code{bus.addr}. Use the monitor

command @code{info usb} to see the devices you can remove.

@end table

@subsection Integer expressions

The monitor understands integers expressions for every integer

argument. You can use register names to get the value of specifics

CPU registers by prefixing them with @emph{$}.

@node disk_images

@section Disk Images

Since version 0.6.1, QEMU supports many disk image formats, including

growable disk images (their size increase as non empty sectors are

written), compressed and encrypted disk images.

@menu

* disk_images_quickstart::    Quick start for disk image creation

* disk_images_snapshot_mode:: Snapshot mode

* qemu_img_invocation::       qemu-img Invocation

* disk_images_fat_images::    Virtual FAT disk images

@end menu

@node disk_images_quickstart

@subsection Quick start for disk image creation

You can create a disk image with the command:

@example

qemu-img create myimage.img mysize

@end example

where @var{myimage.img} is the disk image filename and @var{mysize} is its

size in kilobytes. You can add an @code{M} suffix to give the size in

megabytes and a @code{G} suffix for gigabytes.

See @ref{qemu_img_invocation} for more information.

@node disk_images_snapshot_mode

@subsection Snapshot mode

If you use the option @option{-snapshot}, all disk images are

considered as read only. When sectors in written, they are written in

a temporary file created in @file{/tmp}. You can however force the

write back to the raw disk images by using the @code{commit} monitor

command (or @key{C-a s} in the serial console).

@node qemu_img_invocation

@subsection @code{qemu-img} Invocation

@include qemu-img.texi

@node disk_images_fat_images

@subsection Virtual FAT disk images

QEMU can automatically create a virtual FAT disk image from a

directory tree. In order to use it, just type:

@example 

qemu linux.img -hdb fat:/my_directory

@end example

Then you access access to all the files in the @file{/my_directory}

directory without having to copy them in a disk image or to export

them via SAMBA or NFS. The default access is @emph{read-only}.

Floppies can be emulated with the @code{:floppy:} option:

@example 

qemu linux.img -fda fat:floppy:/my_directory

@end example

A read/write support is available for testing (beta stage) with the

@code{:rw:} option:

@example 

qemu linux.img -fda fat:floppy:rw:/my_directory

@end example

What you should @emph{never} do:

@itemize

@item use non-ASCII filenames ;

@item use "-snapshot" together with ":rw:" ;

@item expect it to work when loadvm'ing ;

@item write to the FAT directory on the host system while accessing it with the guest system.

@end itemize

@node pcsys_network

@section Network emulation

QEMU can simulate several networks cards (NE2000 boards on the PC

target) and can connect them to an arbitrary number of Virtual Local

Area Networks (VLANs). Host TAP devices can be connected to any QEMU

VLAN. VLAN can be connected between separate instances of QEMU to

simulate large networks. For simpler usage, a non priviledged user mode

network stack can replace the TAP device to have a basic network

connection.

@subsection VLANs

QEMU simulates several VLANs. A VLAN can be symbolised as a virtual

connection between several network devices. These devices can be for

example QEMU virtual Ethernet cards or virtual Host ethernet devices

(TAP devices).

@subsection Using TAP network interfaces

This is the standard way to connect QEMU to a real network. QEMU adds

a virtual network device on your host (called @code{tapN}), and you

can then configure it as if it was a real ethernet card.

As an example, you can download the @file{linux-test-xxx.tar.gz}

archive and copy the script @file{qemu-ifup} in @file{/etc} and

configure properly @code{sudo} so that the command @code{ifconfig}

contained in @file{qemu-ifup} can be executed as root. You must verify

that your host kernel supports the TAP network interfaces: the

device @file{/dev/net/tun} must be present.

See @ref{direct_linux_boot} to have an example of network use with a

Linux distribution and @ref{sec_invocation} to have examples of

command lines using the TAP network interfaces.

@subsection Using the user mode network stack

By using the option @option{-net user} (default configuration if no

@option{-net} option is specified), QEMU uses a completely user mode

network stack (you don't need root priviledge to use the virtual

network). The virtual network configuration is the following:

@example

         QEMU VLAN      <------>  Firewall/DHCP server <-----> Internet

                           |          (10.0.2.2)

                           |

                           ---->  DNS server (10.0.2.3)

                           |     

                           ---->  SMB server (10.0.2.4)

@end example

The QEMU VM behaves as if it was behind a firewall which blocks all

incoming connections. You can use a DHCP client to automatically

configure the network in the QEMU VM. The DHCP server assign addresses

to the hosts starting from 10.0.2.15.

In order to check that the user mode network is working, you can ping

the address 10.0.2.2 and verify that you got an address in the range

10.0.2.x from the QEMU virtual DHCP server.

Note that @code{ping} is not supported reliably to the internet as it

would require root priviledges. It means you can only ping the local

router (10.0.2.2).

When using the built-in TFTP server, the router is also the TFTP

server.

When using the @option{-redir} option, TCP or UDP connections can be

redirected from the host to the guest. It allows for example to

redirect X11, telnet or SSH connections.

@subsection Connecting VLANs between QEMU instances

Using the @option{-net socket} option, it is possible to make VLANs

that span several QEMU instances. See @ref{sec_invocation} to have a

basic example.

@node direct_linux_boot

@section Direct Linux Boot

This section explains how to launch a Linux kernel inside QEMU without

having to make a full bootable image. It is very useful for fast Linux

kernel testing. The QEMU network configuration is also explained.

@enumerate

@item

Download the archive @file{linux-test-xxx.tar.gz} containing a Linux

kernel and a disk image. 

@item Optional: If you want network support (for example to launch X11 examples), you

must copy the script @file{qemu-ifup} in @file{/etc} and configure

properly @code{sudo} so that the command @code{ifconfig} contained in

@file{qemu-ifup} can be executed as root. You must verify that your host

kernel supports the TUN/TAP network interfaces: the device

@file{/dev/net/tun} must be present.

When network is enabled, there is a virtual network connection between

the host kernel and the emulated kernel. The emulated kernel is seen

from the host kernel at IP address 172.20.0.2 and the host kernel is

seen from the emulated kernel at IP address 172.20.0.1.

@item Launch @code{qemu.sh}. You should have the following output:

@smallexample

> ./qemu.sh 

Connected to host network interface: tun0

Linux version 2.4.21 (bellard@@voyager.localdomain) (gcc version 3.2.2 20030222 @/(Red Hat @/Linux 3.2.2-5)) #5 Tue Nov 11 18:18:53 CET 2003

BIOS-provided physical RAM map:

 BIOS-e801: 0000000000000000 - 000000000009f000 (usable)

 BIOS-e801: 0000000000100000 - 0000000002000000 (usable)

32MB LOWMEM available.

On node 0 totalpages: 8192

zone(0): 4096 pages.

zone(1): 4096 pages.

zone(2): 0 pages.

Kernel command line: root=/dev/hda sb=0x220,5,1,5 ide2=noprobe ide3=noprobe ide4=noprobe @/ide5=noprobe console=ttyS0

ide_setup: ide2=noprobe

ide_setup: ide3=noprobe

ide_setup: ide4=noprobe

ide_setup: ide5=noprobe

Initializing CPU#0

Detected 2399.621 MHz processor.

Console: colour EGA 80x25

Calibrating delay loop... 4744.80 BogoMIPS

Memory: 28872k/32768k available (1210k kernel code, 3508k reserved, 266k data, 64k init, @/0k highmem)

Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)

Inode cache hash table entries: 2048 (order: 2, 16384 bytes)

Mount cache hash table entries: 512 (order: 0, 4096 bytes)

Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)

Page-cache hash table entries: 8192 (order: 3, 32768 bytes)

CPU: Intel Pentium Pro stepping 03

Checking 'hlt' instruction... OK.

POSIX conformance testing by UNIFIX

Linux NET4.0 for Linux 2.4

Based upon Swansea University Computer Society NET3.039

Initializing RT netlink socket

apm: BIOS not found.

Starting kswapd

Journalled Block Device driver loaded

Detected PS/2 Mouse Port.

pty: 256 Unix98 ptys configured

Serial driver version 5.05c (2001-07-08) with no serial options enabled

ttyS00 at 0x03f8 (irq = 4) is a 16450

ne.c:v1.10 9/23/94 Donald Becker (becker@@scyld.com)

Last modified Nov 1, 2000 by Paul Gortmaker

NE*000 ethercard probe at 0x300: 52 54 00 12 34 56

eth0: NE2000 found at 0x300, using IRQ 9.

RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize

Uniform Multi-Platform E-IDE driver Revision: 7.00beta4-2.4

ide: Assuming 50MHz system bus speed for PIO modes; override with idebus=xx

hda: QEMU HARDDISK, ATA DISK drive

ide0 at 0x1f0-0x1f7,0x3f6 on irq 14

hda: attached ide-disk driver.

hda: 20480 sectors (10 MB) w/256KiB Cache, CHS=20/16/63

Partition check:

 hda:

Soundblaster audio driver Copyright (C) by Hannu Savolainen 1993-1996

NET4: Linux TCP/IP 1.0 for NET4.0

IP Protocols: ICMP, UDP, TCP, IGMP

IP: routing cache hash table of 512 buckets, 4Kbytes

TCP: Hash tables configured (established 2048 bind 4096)

NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.

EXT2-fs warning: mounting unchecked fs, running e2fsck is recommended

VFS: Mounted root (ext2 filesystem).

Freeing unused kernel memory: 64k freed

Linux version 2.4.21 (bellard@@voyager.localdomain) (gcc version 3.2.2 20030222 @/(Red Hat @/Linux 3.2.2-5)) #5 Tue Nov 11 18:18:53 CET 2003

QEMU Linux test distribution (based on Redhat 9)

Type 'exit' to halt the system

sh-2.05b# 

@end smallexample

@item

Then you can play with the kernel inside the virtual serial console. You

can launch @code{ls} for example. Type @key{Ctrl-a h} to have an help

about the keys you can type inside the virtual serial console. In

particular, use @key{Ctrl-a x} to exit QEMU and use @key{Ctrl-a b} as

the Magic SysRq key.

@item 

If the network is enabled, launch the script @file{/etc/linuxrc} in the

emulator (don't forget the leading dot):

@example

. /etc/linuxrc

@end example

Then enable X11 connections on your PC from the emulated Linux: 

@example

xhost +172.20.0.2

@end example

You can now launch @file{xterm} or @file{xlogo} and verify that you have

a real Virtual Linux system !

@end enumerate

NOTES:

@enumerate

@item 

A 2.5.74 kernel is also included in the archive. Just

replace the bzImage in qemu.sh to try it.

@item 

In order to exit cleanly from qemu, you can do a @emph{shutdown} inside

qemu. qemu will automatically exit when the Linux shutdown is done.

@item 

You can boot slightly faster by disabling the probe of non present IDE

interfaces. To do so, add the following options on the kernel command

line:

@example

ide1=noprobe ide2=noprobe ide3=noprobe ide4=noprobe ide5=noprobe

@end example

@item 

The example disk image is a modified version of the one made by Kevin

Lawton for the plex86 Project (@url{www.plex86.org}).

@end enumerate

@node pcsys_usb

@section USB emulation

QEMU emulates a PCI UHCI USB controller. You can virtually plug

virtual USB devices or real host USB devices (experimental, works only

on Linux hosts).  Qemu will automatically create and connect virtual USB hubs

as neccessary to connect multiple USB devices.

@menu

* usb_devices::

* host_usb_devices::

@end menu

@node usb_devices

@subsection Connecting USB devices

USB devices can be connected with the @option{-usbdevice} commandline option

or the @code{usb_add} monitor command.  Available devices are:

@table @var

@item @code{mouse}

Virtual Mouse.  This will override the PS/2 mouse emulation when activated.

@item @code{tablet}

Pointer device that uses abolsute coordinates (like a touchscreen).

This means qemu is able to report the mouse position without having

to grab the mouse.  Also overrides the PS/2 mouse emulation when activated.

@item @code{disk:file}

Mass storage device based on @var{file} (@pxref{disk_images})

@item @code{host:bus.addr}

Pass through the host device identified by @var{bus.addr}

(Linux only)

@item @code{host:vendor_id:product_id}

Pass through the host device identified by @var{vendor_id:product_id}

(Linux only)

@end table

@node host_usb_devices

@subsection Using host USB devices on a Linux host

WARNING: this is an experimental feature. QEMU will slow down when

using it. USB devices requiring real time streaming (i.e. USB Video

Cameras) are not supported yet.

@enumerate

@item If you use an early Linux 2.4 kernel, verify that no Linux driver 

is actually using the USB device. A simple way to do that is simply to

disable the corresponding kernel module by renaming it from @file{mydriver.o}

to @file{mydriver.o.disabled}.

@item Verify that @file{/proc/bus/usb} is working (most Linux distributions should enable it by default). You should see something like that:

@example

ls /proc/bus/usb

001  devices  drivers

@end example

@item Since only root can access to the USB devices directly, you can either launch QEMU as root or change the permissions of the USB devices you want to use. For testing, the following suffices:

@example

chown -R myuid /proc/bus/usb

@end example

@item Launch QEMU and do in the monitor:

@example 

info usbhost

  Device 1.2, speed 480 Mb/s

    Class 00: USB device 1234:5678, USB DISK

@end example

You should see the list of the devices you can use (Never try to use

hubs, it won't work).

@item Add the device in QEMU by using:

@example 

usb_add host:1234:5678

@end example

Normally the guest OS should report that a new USB device is

plugged. You can use the option @option{-usbdevice} to do the same.

@item Now you can try to use the host USB device in QEMU.

@end enumerate

When relaunching QEMU, you may have to unplug and plug again the USB

device to make it work again (this is a bug).

@node gdb_usage

@section GDB usage

QEMU has a primitive support to work with gdb, so that you can do

'Ctrl-C' while the virtual machine is running and inspect its state.

In order to use gdb, launch qemu with the '-s' option. It will wait for a

gdb connection:

@example

> qemu -s -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \

       -append "root=/dev/hda"

Connected to host network interface: tun0

Waiting gdb connection on port 1234

@end example

Then launch gdb on the 'vmlinux' executable:

@example

> gdb vmlinux

@end example

In gdb, connect to QEMU:

@example

(gdb) target remote localhost:1234

@end example

Then you can use gdb normally. For example, type 'c' to launch the kernel:

@example

(gdb) c

@end example

Here are some useful tips in order to use gdb on system code:

@enumerate

@item

Use @code{info reg} to display all the CPU registers.

@item

Use @code{x/10i $eip} to display the code at the PC position.

@item

Use @code{set architecture i8086} to dump 16 bit code. Then use

@code{x/10i $cs*16+$eip} to dump the code at the PC position.

@end enumerate

@node pcsys_os_specific

@section Target OS specific information

@subsection Linux

To have access to SVGA graphic modes under X11, use the @code{vesa} or

the @code{cirrus} X11 driver. For optimal performances, use 16 bit

color depth in the guest and the host OS.

When using a 2.6 guest Linux kernel, you should add the option

@code{clock=pit} on the kernel command line because the 2.6 Linux

kernels make very strict real time clock checks by default that QEMU

cannot simulate exactly.

When using a 2.6 guest Linux kernel, verify that the 4G/4G patch is

not activated because QEMU is slower with this patch. The QEMU

Accelerator Module is also much slower in this case. Earlier Fedora

Core 3 Linux kernel (< 2.6.9-1.724_FC3) were known to incorporte this

patch by default. Newer kernels don't have it.

@subsection Windows

If you have a slow host, using Windows 95 is better as it gives the

best speed. Windows 2000 is also a good choice.

@subsubsection SVGA graphic modes support

QEMU emulates a Cirrus Logic GD5446 Video

card. All Windows versions starting from Windows 95 should recognize

and use this graphic card. For optimal performances, use 16 bit color

depth in the guest and the host OS.

@subsubsection CPU usage reduction

Windows 9x does not correctly use the CPU HLT

instruction. The result is that it takes host CPU cycles even when

idle. You can install the utility from

@url{http://www.user.cityline.ru/~maxamn/amnhltm.zip} to solve this

problem. Note that no such tool is needed for NT, 2000 or XP.

@subsubsection Windows 2000 disk full problem

Windows 2000 has a bug which gives a disk full problem during its

installation. When installing it, use the @option{-win2k-hack} QEMU

option to enable a specific workaround. After Windows 2000 is

installed, you no longer need this option (this option slows down the

IDE transfers).

@subsubsection Windows 2000 shutdown

Windows 2000 cannot automatically shutdown in QEMU although Windows 98

can. It comes from the fact that Windows 2000 does not automatically

use the APM driver provided by the BIOS.

In order to correct that, do the following (thanks to Struan

Bartlett): go to the Control Panel => Add/Remove Hardware & Next =>

Add/Troubleshoot a device => Add a new device & Next => No, select the

hardware from a list & Next => NT Apm/Legacy Support & Next => Next

(again) a few times. Now the driver is installed and Windows 2000 now

correctly instructs QEMU to shutdown at the appropriate moment. 

@subsubsection Share a directory between Unix and Windows

See @ref{sec_invocation} about the help of the option @option{-smb}.

@subsubsection Windows XP security problems

Some releases of Windows XP install correctly but give a security

error when booting:

@example

A problem is preventing Windows from accurately checking the

license for this computer. Error code: 0x800703e6.

@end example

The only known workaround is to boot in Safe mode

without networking support. 

Future QEMU releases are likely to correct this bug.

@subsection MS-DOS and FreeDOS

@subsubsection CPU usage reduction

DOS does not correctly use the CPU HLT instruction. The result is that

it takes host CPU cycles even when idle. You can install the utility

from @url{http://www.vmware.com/software/dosidle210.zip} to solve this

problem.

@node QEMU System emulator for non PC targets

@chapter QEMU System emulator for non PC targets

QEMU is a generic emulator and it emulates many non PC

machines. Most of the options are similar to the PC emulator. The

differences are mentionned in the following sections.

@menu

* QEMU PowerPC System emulator::

* Sparc32 System emulator invocation::

* Sparc64 System emulator invocation::

* MIPS System emulator invocation::

* ARM System emulator invocation::

@end menu

@node QEMU PowerPC System emulator

@section QEMU PowerPC System emulator

Use the executable @file{qemu-system-ppc} to simulate a complete PREP

or PowerMac PowerPC system.

QEMU emulates the following PowerMac peripherals:

@itemize @minus

@item 

UniNorth PCI Bridge 

@item

PCI VGA compatible card with VESA Bochs Extensions

@item 

2 PMAC IDE interfaces with hard disk and CD-ROM support

@item 

NE2000 PCI adapters

@item

Non Volatile RAM

@item

VIA-CUDA with ADB keyboard and mouse.

@end itemize

QEMU emulates the following PREP peripherals:

@itemize @minus

@item 

PCI Bridge

@item

PCI VGA compatible card with VESA Bochs Extensions

@item 

2 IDE interfaces with hard disk and CD-ROM support

@item

Floppy disk

@item 

NE2000 network adapters

@item

Serial port

@item

PREP Non Volatile RAM

@item

PC compatible keyboard and mouse.

@end itemize

QEMU uses the Open Hack'Ware Open Firmware Compatible BIOS available at

@url{http://perso.magic.fr/l_indien/OpenHackWare/index.htm}.

@c man begin OPTIONS

The following options are specific to the PowerPC emulation:

@table @option

@item -g WxH[xDEPTH]  

Set the initial VGA graphic mode. The default is 800x600x15.

@end table

@c man end 

More information is available at

@url{http://perso.magic.fr/l_indien/qemu-ppc/}.

@node Sparc32 System emulator invocation

@section Sparc32 System emulator invocation

Use the executable @file{qemu-system-sparc} to simulate a SparcStation 5

(sun4m architecture). The emulation is somewhat complete.

QEMU emulates the following sun4m peripherals:

@itemize @minus

@item

IOMMU

@item

TCX Frame buffer

@item 

Lance (Am7990) Ethernet

@item

Non Volatile RAM M48T08

@item

Slave I/O: timers, interrupt controllers, Zilog serial ports, keyboard

and power/reset logic

@item

ESP SCSI controller with hard disk and CD-ROM support

@item

Floppy drive

@end itemize

The number of peripherals is fixed in the architecture.

Since version 0.8.1, QEMU uses OpenBIOS

@url{http://www.openbios.org/}. OpenBIOS is a free (GPL v2) portable

firmware implementation. The goal is to implement a 100% IEEE

1275-1994 (referred to as Open Firmware) compliant firmware.

A sample Linux 2.6 series kernel and ram disk image are available on

the QEMU web site. Please note that currently NetBSD, OpenBSD or

Solaris kernels don't work.

@c man begin OPTIONS

The following options are specific to the Sparc emulation:

@table @option

@item -g WxH

Set the initial TCX graphic mode. The default is 1024x768.

@end table

@c man end 

@node Sparc64 System emulator invocation

@section Sparc64 System emulator invocation

Use the executable @file{qemu-system-sparc64} to simulate a Sun4u machine.

The emulator is not usable for anything yet.

QEMU emulates the following sun4u peripherals:

@itemize @minus

@item

UltraSparc IIi APB PCI Bridge 

@item

PCI VGA compatible card with VESA Bochs Extensions

@item

Non Volatile RAM M48T59

@item

PC-compatible serial ports

@end itemize

@node MIPS System emulator invocation

@section MIPS System emulator invocation

Use the executable @file{qemu-system-mips} to simulate a MIPS machine.

The emulator is able to boot a Linux kernel and to run a Linux Debian

installation from NFS. The following devices are emulated:

@itemize @minus

@item 

MIPS R4K CPU

@item

PC style serial port

@item

NE2000 network card

@end itemize

More information is available in the QEMU mailing-list archive.

@node ARM System emulator invocation

@section ARM System emulator invocation

Use the executable @file{qemu-system-arm} to simulate a ARM

machine. The ARM Integrator/CP board is emulated with the following

devices:

@itemize @minus

@item

ARM926E or ARM1026E CPU

@item

Two PL011 UARTs

@item 

SMC 91c111 Ethernet adapter

@item

PL110 LCD controller

@item

PL050 KMI with PS/2 keyboard and mouse.

@end itemize

The ARM Versatile baseboard is emulated with the following devices:

@itemize @minus

@item

ARM926E CPU

@item

PL190 Vectored Interrupt Controller

@item

Four PL011 UARTs

@item 

SMC 91c111 Ethernet adapter

@item

PL110 LCD controller

@item

PL050 KMI with PS/2 keyboard and mouse.

@item

PCI host bridge.  Note the emulated PCI bridge only provides access to

PCI memory space.  It does not provide access to PCI IO space.

This means some devices (eg. ne2k_pci NIC) are not useable, and others

(eg. rtl8139 NIC) are only useable when the guest drivers use the memory

mapped control registers.

@end itemize

A Linux 2.6 test image is available on the QEMU web site. More

information is available in the QEMU mailing-list archive.

@node QEMU Linux User space emulator 

@chapter QEMU Linux User space emulator 

@menu

* Quick Start::

* Wine launch::

* Command line options::

* Other binaries::

@end menu

@node Quick Start

@section Quick Start

In order to launch a Linux process, QEMU needs the process executable

itself and all the target (x86) dynamic libraries used by it. 

@itemize

@item On x86, you can just try to launch any process by using the native

libraries:

@example 

qemu-i386 -L / /bin/ls

@end example

@code{-L /} tells that the x86 dynamic linker must be searched with a

@file{/} prefix.

@item Since QEMU is also a linux process, you can launch qemu with qemu (NOTE: you can only do that if you compiled QEMU from the sources):

@example 

qemu-i386 -L / qemu-i386 -L / /bin/ls

@end example

@item On non x86 CPUs, you need first to download at least an x86 glibc

(@file{qemu-runtime-i386-XXX-.tar.gz} on the QEMU web page). Ensure that

@code{LD_LIBRARY_PATH} is not set:

@example

unset LD_LIBRARY_PATH 

@end example

Then you can launch the precompiled @file{ls} x86 executable:

@example

qemu-i386 tests/i386/ls

@end example

You can look at @file{qemu-binfmt-conf.sh} so that

QEMU is automatically launched by the Linux kernel when you try to

launch x86 executables. It requires the @code{binfmt_misc} module in the

Linux kernel.

@item The x86 version of QEMU is also included. You can try weird things such as:

@example

qemu-i386 /usr/local/qemu-i386/bin/qemu-i386 \