qemu-doc.texi

\input texinfo @c -*- texinfo -*-
@c %**start of header
@setfilename qemu-doc.info
@include version.texi

@documentlanguage en
@documentencoding UTF-8

@settitle QEMU version @value{VERSION} User Documentation
@exampleindent 0
@paragraphindent 0
@c %**end of header

@ifinfo
@direntry
* QEMU: (qemu-doc).    The QEMU Emulator User Documentation.
@end direntry
@end ifinfo

@iftex
@titlepage
@sp 7
@center @titlefont{QEMU version @value{VERSION}}
@sp 1
@center @titlefont{User Documentation}
@sp 3
@end titlepage
@end iftex

@ifnottex
@node Top
@top

@menu
* Introduction::
* QEMU PC System emulator::
* QEMU System emulator for non PC targets::
* QEMU Guest Agent::
* QEMU User space emulator::
* System requirements::
* Security::
* Implementation notes::
* Deprecated features::
* Supported build platforms::
* License::
* Index::
@end menu
@end ifnottex

@contents

@node Introduction
@chapter Introduction

@menu
* intro_features:: Features
@end menu

@node intro_features
@section Features

QEMU is a FAST! processor emulator using dynamic translation to
achieve good emulation speed.

@cindex operating modes
QEMU has two operating modes:

@itemize
@cindex system emulation
@item Full system emulation. In this mode, QEMU emulates a full system (for
example a PC), including one or several processors and various
peripherals. It can be used to launch different Operating Systems
without rebooting the PC or to debug system code.

@cindex user mode emulation
@item User mode emulation. In this mode, QEMU can launch
processes compiled for one CPU on another CPU. It can be used to
launch the Wine Windows API emulator (@url{https://www.winehq.org}) or
to ease cross-compilation and cross-debugging.

@end itemize

QEMU has the following features:

@itemize
@item QEMU can run without a host kernel driver and yet gives acceptable
performance.  It uses dynamic translation to native code for reasonable speed,
with support for self-modifying code and precise exceptions.

@item It is portable to several operating systems (GNU/Linux, *BSD, Mac OS X,
Windows) and architectures.

@item It performs accurate software emulation of the FPU.
@end itemize

QEMU user mode emulation has the following features:
@itemize
@item Generic Linux system call converter, including most ioctls.

@item clone() emulation using native CPU clone() to use Linux scheduler for threads.

@item Accurate signal handling by remapping host signals to target signals.
@end itemize

QEMU full system emulation has the following features:
@itemize
@item
QEMU uses a full software MMU for maximum portability.

@item
QEMU can optionally use an in-kernel accelerator, like kvm. The accelerators
execute most of the guest code natively, while
continuing to emulate the rest of the machine.

@item
Various hardware devices can be emulated and in some cases, host
devices (e.g. serial and parallel ports, USB, drives) can be used
transparently by the guest Operating System. Host device passthrough
can be used for talking to external physical peripherals (e.g. a
webcam, modem or tape drive).

@item
Symmetric multiprocessing (SMP) support.  Currently, an in-kernel
accelerator is required to use more than one host CPU for emulation.

@end itemize


@node QEMU PC System emulator
@chapter QEMU PC System emulator
@cindex system emulation (PC)

@menu
* pcsys_introduction:: Introduction
* pcsys_quickstart::   Quick Start
* sec_invocation::     Invocation
* pcsys_keys::         Keys in the graphical frontends
* mux_keys::           Keys in the character backend multiplexer
* pcsys_monitor::      QEMU Monitor
* cpu_models::         CPU models
* disk_images::        Disk Images
* pcsys_network::      Network emulation
* pcsys_other_devs::   Other Devices
* direct_linux_boot::  Direct Linux Boot
* pcsys_usb::          USB emulation
* vnc_security::       VNC security
* network_tls::        TLS setup for network services
* gdb_usage::          GDB usage
* pcsys_os_specific::  Target OS specific information
@end menu

@node pcsys_introduction
@section Introduction

@c man begin DESCRIPTION

The QEMU PC System emulator simulates the
following peripherals:

@itemize @minus
@item
i440FX host PCI bridge and PIIX3 PCI to ISA bridge
@item
Cirrus CLGD 5446 PCI VGA card or dummy VGA card with Bochs VESA
extensions (hardware level, including all non standard modes).
@item
PS/2 mouse and keyboard
@item
2 PCI IDE interfaces with hard disk and CD-ROM support
@item
Floppy disk
@item
PCI and ISA network adapters
@item
Serial ports
@item
IPMI BMC, either and internal or external one
@item
Creative SoundBlaster 16 sound card
@item
ENSONIQ AudioPCI ES1370 sound card
@item
Intel 82801AA AC97 Audio compatible sound card
@item
Intel HD Audio Controller and HDA codec
@item
Adlib (OPL2) - Yamaha YM3812 compatible chip
@item
Gravis Ultrasound GF1 sound card
@item
CS4231A compatible sound card
@item
PCI UHCI, OHCI, EHCI or XHCI USB controller and a virtual USB-1.1 hub.
@end itemize

SMP is supported with up to 255 CPUs.

QEMU uses the PC BIOS from the Seabios project and the Plex86/Bochs LGPL
VGA BIOS.

QEMU uses YM3812 emulation by Tatsuyuki Satoh.

QEMU uses GUS emulation (GUSEMU32 @url{http://www.deinmeister.de/gusemu/})
by Tibor "TS" Schütz.

Note that, by default, GUS shares IRQ(7) with parallel ports and so
QEMU must be told to not have parallel ports to have working GUS.

@example
qemu-system-i386 dos.img -soundhw gus -parallel none
@end example

Alternatively:
@example
qemu-system-i386 dos.img -device gus,irq=5
@end example

Or some other unclaimed IRQ.

CS4231A is the chip used in Windows Sound System and GUSMAX products

@c man end

@node pcsys_quickstart
@section Quick Start
@cindex quick start

Download and uncompress the linux image (@file{linux.img}) and type:

@example
qemu-system-i386 linux.img
@end example

Linux should boot and give you a prompt.

@node sec_invocation
@section Invocation

@example
@c man begin SYNOPSIS
@command{qemu-system-i386} [@var{options}] [@var{disk_image}]
@c man end
@end example

@c man begin OPTIONS
@var{disk_image} is a raw hard disk image for IDE hard disk 0. Some
targets do not need a disk image.

@include qemu-options.texi

@c man end

@subsection Device URL Syntax
@c TODO merge this with section Disk Images

@c man begin NOTES

In addition to using normal file images for the emulated storage devices,
QEMU can also use networked resources such as iSCSI devices. These are
specified using a special URL syntax.

@table @option
@item iSCSI
iSCSI support allows QEMU to access iSCSI resources directly and use as
images for the guest storage. Both disk and cdrom images are supported.

Syntax for specifying iSCSI LUNs is
``iscsi://<target-ip>[:<port>]/<target-iqn>/<lun>''

By default qemu will use the iSCSI initiator-name
'iqn.2008-11.org.linux-kvm[:<name>]' but this can also be set from the command
line or a configuration file.

Since version Qemu 2.4 it is possible to specify a iSCSI request timeout to detect
stalled requests and force a reestablishment of the session. The timeout
is specified in seconds. The default is 0 which means no timeout. Libiscsi
1.15.0 or greater is required for this feature.

Example (without authentication):
@example
qemu-system-i386 -iscsi initiator-name=iqn.2001-04.com.example:my-initiator \
                 -cdrom iscsi://192.0.2.1/iqn.2001-04.com.example/2 \
                 -drive file=iscsi://192.0.2.1/iqn.2001-04.com.example/1
@end example

Example (CHAP username/password via URL):
@example
qemu-system-i386 -drive file=iscsi://user%password@@192.0.2.1/iqn.2001-04.com.example/1
@end example

Example (CHAP username/password via environment variables):
@example
LIBISCSI_CHAP_USERNAME="user" \
LIBISCSI_CHAP_PASSWORD="password" \
qemu-system-i386 -drive file=iscsi://192.0.2.1/iqn.2001-04.com.example/1
@end example

@item NBD
QEMU supports NBD (Network Block Devices) both using TCP protocol as well
as Unix Domain Sockets.

Syntax for specifying a NBD device using TCP
``nbd:<server-ip>:<port>[:exportname=<export>]''

Syntax for specifying a NBD device using Unix Domain Sockets
``nbd:unix:<domain-socket>[:exportname=<export>]''

Example for TCP
@example
qemu-system-i386 --drive file=nbd:192.0.2.1:30000
@end example

Example for Unix Domain Sockets
@example
qemu-system-i386 --drive file=nbd:unix:/tmp/nbd-socket
@end example

@item SSH
QEMU supports SSH (Secure Shell) access to remote disks.

Examples:
@example
qemu-system-i386 -drive file=ssh://user@@host/path/to/disk.img
qemu-system-i386 -drive file.driver=ssh,file.user=user,file.host=host,file.port=22,file.path=/path/to/disk.img
@end example

Currently authentication must be done using ssh-agent.  Other
authentication methods may be supported in future.

@item Sheepdog
Sheepdog is a distributed storage system for QEMU.
QEMU supports using either local sheepdog devices or remote networked
devices.

Syntax for specifying a sheepdog device
@example
sheepdog[+tcp|+unix]://[host:port]/vdiname[?socket=path][#snapid|#tag]
@end example

Example
@example
qemu-system-i386 --drive file=sheepdog://192.0.2.1:30000/MyVirtualMachine
@end example

See also @url{https://sheepdog.github.io/sheepdog/}.

@item GlusterFS
GlusterFS is a user space distributed file system.
QEMU supports the use of GlusterFS volumes for hosting VM disk images using
TCP, Unix Domain Sockets and RDMA transport protocols.

Syntax for specifying a VM disk image on GlusterFS volume is
@example

URI:
gluster[+type]://[host[:port]]/volume/path[?socket=...][,debug=N][,logfile=...]

JSON:
'json:@{"driver":"qcow2","file":@{"driver":"gluster","volume":"testvol","path":"a.img","debug":N,"logfile":"...",
@                                 "server":[@{"type":"tcp","host":"...","port":"..."@},
@                                           @{"type":"unix","socket":"..."@}]@}@}'
@end example


Example
@example
URI:
qemu-system-x86_64 --drive file=gluster://192.0.2.1/testvol/a.img,
@                               file.debug=9,file.logfile=/var/log/qemu-gluster.log

JSON:
qemu-system-x86_64 'json:@{"driver":"qcow2",
@                          "file":@{"driver":"gluster",
@                                   "volume":"testvol","path":"a.img",
@                                   "debug":9,"logfile":"/var/log/qemu-gluster.log",
@                                   "server":[@{"type":"tcp","host":"1.2.3.4","port":24007@},
@                                             @{"type":"unix","socket":"/var/run/glusterd.socket"@}]@}@}'
qemu-system-x86_64 -drive driver=qcow2,file.driver=gluster,file.volume=testvol,file.path=/path/a.img,
@                                      file.debug=9,file.logfile=/var/log/qemu-gluster.log,
@                                      file.server.0.type=tcp,file.server.0.host=1.2.3.4,file.server.0.port=24007,
@                                      file.server.1.type=unix,file.server.1.socket=/var/run/glusterd.socket
@end example

See also @url{http://www.gluster.org}.

@item HTTP/HTTPS/FTP/FTPS
QEMU supports read-only access to files accessed over http(s) and ftp(s).

Syntax using a single filename:
@example
<protocol>://[<username>[:<password>]@@]<host>/<path>
@end example

where:
@table @option
@item protocol
'http', 'https', 'ftp', or 'ftps'.

@item username
Optional username for authentication to the remote server.

@item password
Optional password for authentication to the remote server.

@item host
Address of the remote server.

@item path
Path on the remote server, including any query string.
@end table

The following options are also supported:
@table @option
@item url
The full URL when passing options to the driver explicitly.

@item readahead
The amount of data to read ahead with each range request to the remote server.
This value may optionally have the suffix 'T', 'G', 'M', 'K', 'k' or 'b'. If it
does not have a suffix, it will be assumed to be in bytes. The value must be a
multiple of 512 bytes. It defaults to 256k.

@item sslverify
Whether to verify the remote server's certificate when connecting over SSL. It
can have the value 'on' or 'off'. It defaults to 'on'.

@item cookie
Send this cookie (it can also be a list of cookies separated by ';') with
each outgoing request.  Only supported when using protocols such as HTTP
which support cookies, otherwise ignored.

@item timeout
Set the timeout in seconds of the CURL connection. This timeout is the time
that CURL waits for a response from the remote server to get the size of the
image to be downloaded. If not set, the default timeout of 5 seconds is used.
@end table

Note that when passing options to qemu explicitly, @option{driver} is the value
of <protocol>.

Example: boot from a remote Fedora 20 live ISO image
@example
qemu-system-x86_64 --drive media=cdrom,file=http://dl.fedoraproject.org/pub/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Desktop-x86_64-20-1.iso,readonly

qemu-system-x86_64 --drive media=cdrom,file.driver=http,file.url=http://dl.fedoraproject.org/pub/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Desktop-x86_64-20-1.iso,readonly
@end example

Example: boot from a remote Fedora 20 cloud image using a local overlay for
writes, copy-on-read, and a readahead of 64k
@example
qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"http",, "file.url":"https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Images/x86_64/Fedora-x86_64-20-20131211.1-sda.qcow2",, "file.readahead":"64k"@}' /tmp/Fedora-x86_64-20-20131211.1-sda.qcow2

qemu-system-x86_64 -drive file=/tmp/Fedora-x86_64-20-20131211.1-sda.qcow2,copy-on-read=on
@end example

Example: boot from an image stored on a VMware vSphere server with a self-signed
certificate using a local overlay for writes, a readahead of 64k and a timeout
of 10 seconds.
@example
qemu-img create -f qcow2 -o backing_file='json:@{"file.driver":"https",, "file.url":"https://user:password@@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k",, "file.timeout":10@}' /tmp/test.qcow2

qemu-system-x86_64 -drive file=/tmp/test.qcow2
@end example

@end table

@c man end

@node pcsys_keys
@section Keys in the graphical frontends

@c man begin OPTIONS

During the graphical emulation, you can use special key combinations to change
modes. The default key mappings are shown below, but if you use @code{-alt-grab}
then the modifier is Ctrl-Alt-Shift (instead of Ctrl-Alt) and if you use
@code{-ctrl-grab} then the modifier is the right Ctrl key (instead of Ctrl-Alt):

@table @key
@item Ctrl-Alt-f
@kindex Ctrl-Alt-f
Toggle full screen

@item Ctrl-Alt-+
@kindex Ctrl-Alt-+
Enlarge the screen

@item Ctrl-Alt--
@kindex Ctrl-Alt--
Shrink the screen

@item Ctrl-Alt-u
@kindex Ctrl-Alt-u
Restore the screen's un-scaled dimensions

@item Ctrl-Alt-n
@kindex Ctrl-Alt-n
Switch to virtual console 'n'. Standard console mappings are:
@table @emph
@item 1
Target system display
@item 2
Monitor
@item 3
Serial port
@end table

@item Ctrl-Alt
@kindex Ctrl-Alt
Toggle mouse and keyboard grab.
@end table

@kindex Ctrl-Up
@kindex Ctrl-Down
@kindex Ctrl-PageUp
@kindex Ctrl-PageDown
In the virtual consoles, you can use @key{Ctrl-Up}, @key{Ctrl-Down},
@key{Ctrl-PageUp} and @key{Ctrl-PageDown} to move in the back log.

@c man end

@node mux_keys
@section Keys in the character backend multiplexer

@c man begin OPTIONS

During emulation, if you are using a character backend multiplexer
(which is the default if you are using @option{-nographic}) then
several commands are available via an escape sequence. These
key sequences all start with an escape character, which is @key{Ctrl-a}
by default, but can be changed with @option{-echr}. The list below assumes
you're using the default.

@table @key
@item Ctrl-a h
@kindex Ctrl-a h
Print this help
@item Ctrl-a x
@kindex Ctrl-a x
Exit emulator
@item Ctrl-a s
@kindex Ctrl-a s
Save disk data back to file (if -snapshot)
@item Ctrl-a t
@kindex Ctrl-a t
Toggle console timestamps
@item Ctrl-a b
@kindex Ctrl-a b
Send break (magic sysrq in Linux)
@item Ctrl-a c
@kindex Ctrl-a c
Rotate between the frontends connected to the multiplexer (usually
this switches between the monitor and the console)
@item Ctrl-a Ctrl-a
@kindex Ctrl-a Ctrl-a
Send the escape character to the frontend
@end table
@c man end

@ignore

@c man begin SEEALSO
The HTML documentation of QEMU for more precise information and Linux
user mode emulator invocation.
@c man end

@c man begin AUTHOR
Fabrice Bellard
@c man end

@end ignore

@node pcsys_monitor
@section QEMU Monitor
@cindex QEMU monitor

The QEMU monitor is used to give complex commands to the QEMU
emulator. You can use it to:

@itemize @minus

@item
Remove or insert removable media images
(such as CD-ROM or floppies).

@item
Freeze/unfreeze the Virtual Machine (VM) and save or restore its state
from a disk file.

@item Inspect the VM state without an external debugger.

@end itemize

@subsection Commands

The following commands are available:

@include qemu-monitor.texi

@include qemu-monitor-info.texi

@subsection Integer expressions

The monitor understands integers expressions for every integer
argument. You can use register names to get the value of specifics
CPU registers by prefixing them with @emph{$}.

@node cpu_models
@section CPU models

@include docs/qemu-cpu-models.texi

@node disk_images
@section Disk Images

QEMU supports many disk image formats, including growable disk images
(their size increase as non empty sectors are written), compressed and
encrypted disk images.

@menu
* disk_images_quickstart::    Quick start for disk image creation
* disk_images_snapshot_mode:: Snapshot mode
* vm_snapshots::              VM snapshots
* qemu_img_invocation::       qemu-img Invocation
* qemu_nbd_invocation::       qemu-nbd Invocation
* disk_images_formats::       Disk image file formats
* host_drives::               Using host drives
* disk_images_fat_images::    Virtual FAT disk images
* disk_images_nbd::           NBD access
* disk_images_sheepdog::      Sheepdog disk images
* disk_images_iscsi::         iSCSI LUNs
* disk_images_gluster::       GlusterFS disk images
* disk_images_ssh::           Secure Shell (ssh) disk images
* disk_images_nvme::          NVMe userspace driver
* disk_image_locking::        Disk image file locking
@end menu

@node disk_images_quickstart
@subsection Quick start for disk image creation

You can create a disk image with the command:
@example
qemu-img create myimage.img mysize
@end example
where @var{myimage.img} is the disk image filename and @var{mysize} is its
size in kilobytes. You can add an @code{M} suffix to give the size in
megabytes and a @code{G} suffix for gigabytes.

See @ref{qemu_img_invocation} for more information.

@node disk_images_snapshot_mode
@subsection Snapshot mode

If you use the option @option{-snapshot}, all disk images are
considered as read only. When sectors in written, they are written in
a temporary file created in @file{/tmp}. You can however force the
write back to the raw disk images by using the @code{commit} monitor
command (or @key{C-a s} in the serial console).

@node vm_snapshots
@subsection VM snapshots

VM snapshots are snapshots of the complete virtual machine including
CPU state, RAM, device state and the content of all the writable
disks. In order to use VM snapshots, you must have at least one non
removable and writable block device using the @code{qcow2} disk image
format. Normally this device is the first virtual hard drive.

Use the monitor command @code{savevm} to create a new VM snapshot or
replace an existing one. A human readable name can be assigned to each
snapshot in addition to its numerical ID.

Use @code{loadvm} to restore a VM snapshot and @code{delvm} to remove
a VM snapshot. @code{info snapshots} lists the available snapshots
with their associated information:

@example
(qemu) info snapshots
Snapshot devices: hda
Snapshot list (from hda):
ID        TAG                 VM SIZE                DATE       VM CLOCK
1         start                   41M 2006-08-06 12:38:02   00:00:14.954
2                                 40M 2006-08-06 12:43:29   00:00:18.633
3         msys                    40M 2006-08-06 12:44:04   00:00:23.514
@end example

A VM snapshot is made of a VM state info (its size is shown in
@code{info snapshots}) and a snapshot of every writable disk image.
The VM state info is stored in the first @code{qcow2} non removable
and writable block device. The disk image snapshots are stored in
every disk image. The size of a snapshot in a disk image is difficult
to evaluate and is not shown by @code{info snapshots} because the
associated disk sectors are shared among all the snapshots to save
disk space (otherwise each snapshot would need a full copy of all the
disk images).

When using the (unrelated) @code{-snapshot} option
(@ref{disk_images_snapshot_mode}), you can always make VM snapshots,
but they are deleted as soon as you exit QEMU.

VM snapshots currently have the following known limitations:
@itemize
@item
They cannot cope with removable devices if they are removed or
inserted after a snapshot is done.
@item
A few device drivers still have incomplete snapshot support so their
state is not saved or restored properly (in particular USB).
@end itemize

@node qemu_img_invocation
@subsection @code{qemu-img} Invocation

@include qemu-img.texi

@node qemu_nbd_invocation
@subsection @code{qemu-nbd} Invocation

@include qemu-nbd.texi

@include docs/qemu-block-drivers.texi

@node pcsys_network
@section Network emulation

QEMU can simulate several network cards (e.g. PCI or ISA cards on the PC
target) and can connect them to a network backend on the host or an emulated
hub. The various host network backends can either be used to connect the NIC of
the guest to a real network (e.g. by using a TAP devices or the non-privileged
user mode network stack), or to other guest instances running in another QEMU
process (e.g. by using the socket host network backend).

@subsection Using TAP network interfaces

This is the standard way to connect QEMU to a real network. QEMU adds
a virtual network device on your host (called @code{tapN}), and you
can then configure it as if it was a real ethernet card.

@subsubsection Linux host

As an example, you can download the @file{linux-test-xxx.tar.gz}
archive and copy the script @file{qemu-ifup} in @file{/etc} and
configure properly @code{sudo} so that the command @code{ifconfig}
contained in @file{qemu-ifup} can be executed as root. You must verify
that your host kernel supports the TAP network interfaces: the
device @file{/dev/net/tun} must be present.

See @ref{sec_invocation} to have examples of command lines using the
TAP network interfaces.

@subsubsection Windows host

There is a virtual ethernet driver for Windows 2000/XP systems, called
TAP-Win32. But it is not included in standard QEMU for Windows,
so you will need to get it separately. It is part of OpenVPN package,
so download OpenVPN from : @url{https://openvpn.net/}.

@subsection Using the user mode network stack

By using the option @option{-net user} (default configuration if no
@option{-net} option is specified), QEMU uses a completely user mode
network stack (you don't need root privilege to use the virtual
network). The virtual network configuration is the following:

@example

     guest (10.0.2.15)  <------>  Firewall/DHCP server <-----> Internet
                           |          (10.0.2.2)
                           |
                           ---->  DNS server (10.0.2.3)
                           |
                           ---->  SMB server (10.0.2.4)
@end example

The QEMU VM behaves as if it was behind a firewall which blocks all
incoming connections. You can use a DHCP client to automatically
configure the network in the QEMU VM. The DHCP server assign addresses
to the hosts starting from 10.0.2.15.

In order to check that the user mode network is working, you can ping
the address 10.0.2.2 and verify that you got an address in the range
10.0.2.x from the QEMU virtual DHCP server.

Note that ICMP traffic in general does not work with user mode networking.
@code{ping}, aka. ICMP echo, to the local router (10.0.2.2) shall work,
however. If you're using QEMU on Linux >= 3.0, it can use unprivileged ICMP
ping sockets to allow @code{ping} to the Internet. The host admin has to set
the ping_group_range in order to grant access to those sockets. To allow ping
for GID 100 (usually users group):

@example
echo 100 100 > /proc/sys/net/ipv4/ping_group_range
@end example

When using the built-in TFTP server, the router is also the TFTP
server.

When using the @option{'-netdev user,hostfwd=...'} option, TCP or UDP
connections can be redirected from the host to the guest. It allows for
example to redirect X11, telnet or SSH connections.

@subsection Hubs

QEMU can simulate several hubs. A hub can be thought of as a virtual connection
between several network devices. These devices can be for example QEMU virtual
ethernet cards or virtual Host ethernet devices (TAP devices). You can connect
guest NICs or host network backends to such a hub using the @option{-netdev
hubport} or @option{-nic hubport} options. The legacy @option{-net} option
also connects the given device to the emulated hub with ID 0 (i.e. the default
hub) unless you specify a netdev with @option{-net nic,netdev=xxx} here.

@subsection Connecting emulated networks between QEMU instances

Using the @option{-netdev socket} (or @option{-nic socket} or
@option{-net socket}) option, it is possible to create emulated
networks that span several QEMU instances.
See the description of the @option{-netdev socket} option in the
@ref{sec_invocation,,Invocation chapter} to have a basic example.

@node pcsys_other_devs
@section Other Devices

@subsection Inter-VM Shared Memory device

On Linux hosts, a shared memory device is available.  The basic syntax
is:

@example
qemu-system-x86_64 -device ivshmem-plain,memdev=@var{hostmem}
@end example

where @var{hostmem} names a host memory backend.  For a POSIX shared
memory backend, use something like

@example
-object memory-backend-file,size=1M,share,mem-path=/dev/shm/ivshmem,id=@var{hostmem}
@end example

If desired, interrupts can be sent between guest VMs accessing the same shared
memory region.  Interrupt support requires using a shared memory server and
using a chardev socket to connect to it.  The code for the shared memory server
is qemu.git/contrib/ivshmem-server.  An example syntax when using the shared
memory server is:

@example
# First start the ivshmem server once and for all
ivshmem-server -p @var{pidfile} -S @var{path} -m @var{shm-name} -l @var{shm-size} -n @var{vectors}

# Then start your qemu instances with matching arguments
qemu-system-x86_64 -device ivshmem-doorbell,vectors=@var{vectors},chardev=@var{id}
                 -chardev socket,path=@var{path},id=@var{id}
@end example

When using the server, the guest will be assigned a VM ID (>=0) that allows guests
using the same server to communicate via interrupts.  Guests can read their
VM ID from a device register (see ivshmem-spec.txt).

@subsubsection Migration with ivshmem

With device property @option{master=on}, the guest will copy the shared
memory on migration to the destination host.  With @option{master=off},
the guest will not be able to migrate with the device attached.  In the
latter case, the device should be detached and then reattached after
migration using the PCI hotplug support.

At most one of the devices sharing the same memory can be master.  The
master must complete migration before you plug back the other devices.

@subsubsection ivshmem and hugepages

Instead of specifying the <shm size> using POSIX shm, you may specify
a memory backend that has hugepage support:

@example
qemu-system-x86_64 -object memory-backend-file,size=1G,mem-path=/dev/hugepages/my-shmem-file,share,id=mb1
                 -device ivshmem-plain,memdev=mb1
@end example

ivshmem-server also supports hugepages mount points with the
@option{-m} memory path argument.

@node direct_linux_boot
@section Direct Linux Boot

This section explains how to launch a Linux kernel inside QEMU without
having to make a full bootable image. It is very useful for fast Linux
kernel testing.

The syntax is:
@example
qemu-system-i386 -kernel arch/i386/boot/bzImage -hda root-2.4.20.img -append "root=/dev/hda"
@end example

Use @option{-kernel} to provide the Linux kernel image and
@option{-append} to give the kernel command line arguments. The
@option{-initrd} option can be used to provide an INITRD image.

When using the direct Linux boot, a disk image for the first hard disk
@file{hda} is required because its boot sector is used to launch the
Linux kernel.

If you do not need graphical output, you can disable it and redirect
the virtual serial port and the QEMU monitor to the console with the
@option{-nographic} option. The typical command line is:
@example
qemu-system-i386 -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \
                 -append "root=/dev/hda console=ttyS0" -nographic
@end example

Use @key{Ctrl-a c} to switch between the serial console and the
monitor (@pxref{pcsys_keys}).

@node pcsys_usb
@section USB emulation

QEMU can emulate a PCI UHCI, OHCI, EHCI or XHCI USB controller. You can
plug virtual USB devices or real host USB devices (only works with certain
host operating systems). QEMU will automatically create and connect virtual
USB hubs as necessary to connect multiple USB devices.

@menu
* usb_devices::
* host_usb_devices::
@end menu
@node usb_devices
@subsection Connecting USB devices

USB devices can be connected with the @option{-device usb-...} command line
option or the @code{device_add} monitor command. Available devices are:

@table @code
@item usb-mouse
Virtual Mouse.  This will override the PS/2 mouse emulation when activated.
@item usb-tablet
Pointer device that uses absolute coordinates (like a touchscreen).
This means QEMU is able to report the mouse position without having
to grab the mouse.  Also overrides the PS/2 mouse emulation when activated.
@item usb-storage,drive=@var{drive_id}
Mass storage device backed by @var{drive_id} (@pxref{disk_images})
@item usb-uas
USB attached SCSI device, see
@url{https://git.qemu.org/?p=qemu.git;a=blob_plain;f=docs/usb-storage.txt,usb-storage.txt}
for details
@item usb-bot
Bulk-only transport storage device, see
@url{https://git.qemu.org/?p=qemu.git;a=blob_plain;f=docs/usb-storage.txt,usb-storage.txt}
for details here, too
@item usb-mtp,rootdir=@var{dir}
Media transfer protocol device, using @var{dir} as root of the file tree
that is presented to the guest.
@item usb-host,hostbus=@var{bus},hostaddr=@var{addr}
Pass through the host device identified by @var{bus} and @var{addr}
@item usb-host,vendorid=@var{vendor},productid=@var{product}
Pass through the host device identified by @var{vendor} and @var{product} ID
@item usb-wacom-tablet
Virtual Wacom PenPartner tablet.  This device is similar to the @code{tablet}
above but it can be used with the tslib library because in addition to touch
coordinates it reports touch pressure.
@item usb-kbd
Standard USB keyboard.  Will override the PS/2 keyboard (if present).
@item usb-serial,chardev=@var{id}
Serial converter. This emulates an FTDI FT232BM chip connected to host character
device @var{id}.
@item usb-braille,chardev=@var{id}
Braille device.  This will use BrlAPI to display the braille output on a real
or fake device referenced by @var{id}.
@item usb-net[,netdev=@var{id}]
Network adapter that supports CDC ethernet and RNDIS protocols.  @var{id}
specifies a netdev defined with @code{-netdev @dots{},id=@var{id}}.
For instance, user-mode networking can be used with
@example
qemu-system-i386 [...] -netdev user,id=net0 -device usb-net,netdev=net0
@end example
@item usb-ccid
Smartcard reader device
@item usb-audio
USB audio device
@item usb-bt-dongle
Bluetooth dongle for the transport layer of HCI. It is connected to HCI
scatternet 0 by default (corresponds to @code{-bt hci,vlan=0}).
Note that the syntax for the @code{-device usb-bt-dongle} option is not as
useful yet as it was with the legacy @code{-usbdevice} option. So to
configure an USB bluetooth device, you might need to use
"@code{-usbdevice bt}[:@var{hci-type}]" instead. This configures a
bluetooth dongle whose type is specified in the same format as with
the @option{-bt hci} option, @pxref{bt-hcis,,allowed HCI types}.  If
no type is given, the HCI logic corresponds to @code{-bt hci,vlan=0}.
This USB device implements the USB Transport Layer of HCI.  Example
usage:
@example
@command{qemu-system-i386} [...@var{OPTIONS}...] @option{-usbdevice} bt:hci,vlan=3 @option{-bt} device:keyboard,vlan=3
@end example
@end table

@node host_usb_devices
@subsection Using host USB devices on a Linux host

WARNING: this is an experimental feature. QEMU will slow down when
using it. USB devices requiring real time streaming (i.e. USB Video
Cameras) are not supported yet.

@enumerate
@item If you use an early Linux 2.4 kernel, verify that no Linux driver
is actually using the USB device. A simple way to do that is simply to
disable the corresponding kernel module by renaming it from @file{mydriver.o}
to @file{mydriver.o.disabled}.

@item Verify that @file{/proc/bus/usb} is working (most Linux distributions should enable it by default). You should see something like that:
@example
ls /proc/bus/usb
001  devices  drivers
@end example

@item Since only root can access to the USB devices directly, you can either launch QEMU as root or change the permissions of the USB devices you want to use. For testing, the following suffices:
@example
chown -R myuid /proc/bus/usb
@end example

@item Launch QEMU and do in the monitor:
@example
info usbhost
  Device 1.2, speed 480 Mb/s
    Class 00: USB device 1234:5678, USB DISK
@end example
You should see the list of the devices you can use (Never try to use
hubs, it won't work).

@item Add the device in QEMU by using:
@example
device_add usb-host,vendorid=0x1234,productid=0x5678
@end example

Normally the guest OS should report that a new USB device is plugged.
You can use the option @option{-device usb-host,...} to do the same.

@item Now you can try to use the host USB device in QEMU.

@end enumerate

When relaunching QEMU, you may have to unplug and plug again the USB
device to make it work again (this is a bug).

@node vnc_security
@section VNC security

The VNC server capability provides access to the graphical console
of the guest VM across the network. This has a number of security
considerations depending on the deployment scenarios.

@menu
* vnc_sec_none::
* vnc_sec_password::
* vnc_sec_certificate::
* vnc_sec_certificate_verify::
* vnc_sec_certificate_pw::
* vnc_sec_sasl::
* vnc_sec_certificate_sasl::
* vnc_setup_sasl::
@end menu
@node vnc_sec_none
@subsection Without passwords

The simplest VNC server setup does not include any form of authentication.
For this setup it is recommended to restrict it to listen on a UNIX domain
socket only. For example

@example
qemu-system-i386 [...OPTIONS...] -vnc unix:/home/joebloggs/.qemu-myvm-vnc
@end example

This ensures that only users on local box with read/write access to that
path can access the VNC server. To securely access the VNC server from a
remote machine, a combination of netcat+ssh can be used to provide a secure
tunnel.

@node vnc_sec_password
@subsection With passwords

The VNC protocol has limited support for password based authentication. Since
the protocol limits passwords to 8 characters it should not be considered
to provide high security. The password can be fairly easily brute-forced by
a client making repeat connections. For this reason, a VNC server using password
authentication should be restricted to only listen on the loopback interface
or UNIX domain sockets. Password authentication is not supported when operating
in FIPS 140-2 compliance mode as it requires the use of the DES cipher. Password
authentication is requested with the @code{password} option, and then once QEMU
is running the password is set with the monitor. Until the monitor is used to
set the password all clients will be rejected.

@example
qemu-system-i386 [...OPTIONS...] -vnc :1,password -monitor stdio
(qemu) change vnc password
Password: ********
(qemu)
@end example

@node vnc_sec_certificate
@subsection With x509 certificates

The QEMU VNC server also implements the VeNCrypt extension allowing use of
TLS for encryption of the session, and x509 certificates for authentication.
The use of x509 certificates is strongly recommended, because TLS on its
own is susceptible to man-in-the-middle attacks. Basic x509 certificate
support provides a secure session, but no authentication. This allows any
client to connect, and provides an encrypted session.

@example
qemu-system-i386 [...OPTIONS...] \
  -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=no \
  -vnc :1,tls-creds=tls0 -monitor stdio
@end example

In the above example @code{/etc/pki/qemu} should contain at least three files,
@code{ca-cert.pem}, @code{server-cert.pem} and @code{server-key.pem}. Unprivileged
users will want to use a private directory, for example @code{$HOME/.pki/qemu}.
NB the @code{server-key.pem} file should be protected with file mode 0600 to
only be readable by the user owning it.

@node vnc_sec_certificate_verify
@subsection With x509 certificates and client verification

Certificates can also provide a means to authenticate the client connecting.
The server will request that the client provide a certificate, which it will
then validate against the CA certificate. This is a good choice if deploying
in an environment with a private internal certificate authority. It uses the
same syntax as previously, but with @code{verify-peer} set to @code{yes}
instead.

@example
qemu-system-i386 [...OPTIONS...] \
  -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
  -vnc :1,tls-creds=tls0 -monitor stdio
@end example


@node vnc_sec_certificate_pw
@subsection With x509 certificates, client verification and passwords

Finally, the previous method can be combined with VNC password authentication
to provide two layers of authentication for clients.

@example
qemu-system-i386 [...OPTIONS...] \
  -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
  -vnc :1,tls-creds=tls0,password -monitor stdio
(qemu) change vnc password
Password: ********
(qemu)
@end example


@node vnc_sec_sasl
@subsection With SASL authentication

The SASL authentication method is a VNC extension, that provides an
easily extendable, pluggable authentication method. This allows for
integration with a wide range of authentication mechanisms, such as
PAM, GSSAPI/Kerberos, LDAP, SQL databases, one-time keys and more.
The strength of the authentication depends on the exact mechanism
configured. If the chosen mechanism also provides a SSF layer, then
it will encrypt the datastream as well.

Refer to the later docs on how to choose the exact SASL mechanism
used for authentication, but assuming use of one supporting SSF,
then QEMU can be launched with:

@example
qemu-system-i386 [...OPTIONS...] -vnc :1,sasl -monitor stdio
@end example

@node vnc_sec_certificate_sasl
@subsection With x509 certificates and SASL authentication

If the desired SASL authentication mechanism does not supported
SSF layers, then it is strongly advised to run it in combination
with TLS and x509 certificates. This provides securely encrypted
data stream, avoiding risk of compromising of the security
credentials. This can be enabled, by combining the 'sasl' option
with the aforementioned TLS + x509 options:

@example
qemu-system-i386 [...OPTIONS...] \
  -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
  -vnc :1,tls-creds=tls0,sasl -monitor stdio
@end example

@node vnc_setup_sasl

@subsection Configuring SASL mechanisms

The following documentation assumes use of the Cyrus SASL implementation on a
Linux host, but the principles should apply to any other SASL implementation
or host. When SASL is enabled, the mechanism configuration will be loaded from
system default SASL service config /etc/sasl2/qemu.conf. If running QEMU as an
unprivileged user, an environment variable SASL_CONF_PATH can be used to make
it search alternate locations for the service config file.

If the TLS option is enabled for VNC, then it will provide session encryption,
otherwise the SASL mechanism will have to provide encryption. In the latter
case the list of possible plugins that can be used is drastically reduced. In
fact only the GSSAPI SASL mechanism provides an acceptable level of security
by modern standards. Previous versions of QEMU referred to the DIGEST-MD5
mechanism, however, it has multiple serious flaws described in detail in
RFC 6331 and thus should never be used any more. The SCRAM-SHA-1 mechanism
provides a simple username/password auth facility similar to DIGEST-MD5, but
does not support session encryption, so can only be used in combination with
TLS.

When not using TLS the recommended configuration is

@example
mech_list: gssapi
keytab: /etc/qemu/krb5.tab
@end example

This says to use the 'GSSAPI' mechanism with the Kerberos v5 protocol, with
the server principal stored in /etc/qemu/krb5.tab. For this to work the
administrator of your KDC must generate a Kerberos principal for the server,
with a name of 'qemu/somehost.example.com@@EXAMPLE.COM' replacing
'somehost.example.com' with the fully qualified host name of the machine
running QEMU, and 'EXAMPLE.COM' with the Kerberos Realm.

When using TLS, if username+password authentication is desired, then a
reasonable configuration is

@example
mech_list: scram-sha-1
sasldb_path: /etc/qemu/passwd.db
@end example

The @code{saslpasswd2} program can be used to populate the @code{passwd.db}
file with accounts.

Other SASL configurations will be left as an exercise for the reader. Note that
all mechanisms, except GSSAPI, should be combined with use of TLS to ensure a
secure data channel.


@node network_tls
@section TLS setup for network services

Almost all network services in QEMU have the ability to use TLS for
session data encryption, along with x509 certificates for simple
client authentication. What follows is a description of how to
generate certificates suitable for usage with QEMU, and applies to
the VNC server, character devices with the TCP backend, NBD server
and client, and migration server and client.

At a high level, QEMU requires certificates and private keys to be
provided in PEM format. Aside from the core fields, the certificates
should include various extension data sets, including v3 basic
constraints data, key purpose, key usage and subject alt name.

The GnuTLS package includes a command called @code{certtool} which can
be used to easily generate certificates and keys in the required format
with expected data present. Alternatively a certificate management
service may be used.

At a minimum it is necessary to setup a certificate authority, and
issue certificates to each server. If using x509 certificates for
authentication, then each client will also need to be issued a
certificate.

Assuming that the QEMU network services will only ever be exposed to
clients on a private intranet, there is no need to use a commercial
certificate authority to create certificates. A self-signed CA is
sufficient, and in fact likely to be more secure since it removes
the ability of malicious 3rd parties to trick the CA into mis-issuing
certs for impersonating your services. The only likely exception
where a commercial CA might be desirable is if enabling the VNC
websockets server and exposing it directly to remote browser clients.
In such a case it might be useful to use a commercial CA to avoid
needing to install custom CA certs in the web browsers.

The recommendation is for the server to keep its certificates in either
@code{/etc/pki/qemu} or for unprivileged users in @code{$HOME/.pki/qemu}.

@menu
* tls_generate_ca::
* tls_generate_server::
* tls_generate_client::
* tls_creds_setup::
* tls_psk::
@end menu
@node tls_generate_ca
@subsection Setup the Certificate Authority

This step only needs to be performed once per organization / organizational
unit. First the CA needs a private key. This key must be kept VERY secret
and secure. If this key is compromised the entire trust chain of the certificates
issued with it is lost.

@example
# certtool --generate-privkey > ca-key.pem
@end example

To generate a self-signed certificate requires one core piece of information,
the name of the organization. A template file @code{ca.info} should be
populated with the desired data to avoid having to deal with interactive
prompts from certtool:
@example
# cat > ca.info <<EOF
cn = Name of your organization
ca
cert_signing_key
EOF
# certtool --generate-self-signed \
           --load-privkey ca-key.pem
           --template ca.info \
           --outfile ca-cert.pem
@end example

The @code{ca} keyword in the template sets the v3 basic constraints extension
to indicate this certificate is for a CA, while @code{cert_signing_key} sets
the key usage extension to indicate this will be used for signing other keys.
The generated @code{ca-cert.pem} file should be copied to all servers and
clients wishing to utilize TLS support in the VNC server. The @code{ca-key.pem}
must not be disclosed/copied anywhere except the host responsible for issuing
certificates.

@node tls_generate_server
@subsection Issuing server certificates

Each server (or host) needs to be issued with a key and certificate. When connecting
the certificate is sent to the client which validates it against the CA certificate.
The core pieces of information for a server certificate are the hostnames and/or IP
addresses that will be used by clients when connecting. The hostname / IP address
that the client specifies when connecting will be validated against the hostname(s)
and IP address(es) recorded in the server certificate, and if no match is found
the client will close the connection.

Thus it is recommended that the server certificate include both the fully qualified
and unqualified hostnames. If the server will have permanently assigned IP address(es),
and clients are likely to use them when connecting, they may also be included in the
certificate. Both IPv4 and IPv6 addresses are supported. Historically certificates
only included 1 hostname in the @code{CN} field, however, usage of this field for
validation is now deprecated. Instead modern TLS clients will validate against the
Subject Alt Name extension data, which allows for multiple entries. In the future
usage of the @code{CN} field may be discontinued entirely, so providing SAN
extension data is strongly recommended.

On the host holding the CA, create template files containing the information
for each server, and use it to issue server certificates.

@example
# cat > server-hostNNN.info <<EOF
organization = Name  of your organization
cn = hostNNN.foo.example.com
dns_name = hostNNN
dns_name = hostNNN.foo.example.com
ip_address = 10.0.1.87
ip_address = 192.8.0.92
ip_address = 2620:0:cafe::87
ip_address = 2001:24::92
tls_www_server
encryption_key
signing_key
EOF
# certtool --generate-privkey > server-hostNNN-key.pem
# certtool --generate-certificate \
           --load-ca-certificate ca-cert.pem \
           --load-ca-privkey ca-key.pem \
           --load-privkey server-hostNNN-key.pem \
           --template server-hostNNN.info \
           --outfile server-hostNNN-cert.pem
@end example

The @code{dns_name} and @code{ip_address} fields in the template are setting
the subject alt name extension data. The @code{tls_www_server} keyword is the
key purpose extension to indicate this certificate is intended for usage in
a web server. Although QEMU network services are not in fact HTTP servers
(except for VNC websockets), setting this key purpose is still recommended.
The @code{encryption_key} and @code{signing_key} keyword is the key usage
extension to indicate this certificate is intended for usage in the data
session.

The @code{server-hostNNN-key.pem} and @code{server-hostNNN-cert.pem} files
should now be securely copied to the server for which they were generated,
and renamed to @code{server-key.pem} and @code{server-cert.pem} when added
to the @code{/etc/pki/qemu} directory on the target host. The @code{server-key.pem}
file is security sensitive and should be kept protected with file mode 0600
to prevent disclosure.

@node tls_generate_client
@subsection Issuing client certificates

The QEMU x509 TLS credential setup defaults to enabling client verification
using certificates, providing a simple authentication mechanism. If this
default is used, each client also needs to be issued a certificate. The client
certificate contains enough metadata to uniquely identify the client with the
scope of the certificate authority. The client certificate would typically
include fields for organization, state, city, building, etc.

Once again on the host holding the CA, create template files containing the
information for each client, and use it to issue client certificates.


@example
# cat > client-hostNNN.info <<EOF
country = GB
state = London
locality = City Of London
organization = Name of your organization
cn = hostNNN.foo.example.com
tls_www_client
encryption_key
signing_key
EOF
# certtool --generate-privkey > client-hostNNN-key.pem
# certtool --generate-certificate \
           --load-ca-certificate ca-cert.pem \
           --load-ca-privkey ca-key.pem \
           --load-privkey client-hostNNN-key.pem \
           --template client-hostNNN.info \
           --outfile client-hostNNN-cert.pem
@end example

The subject alt name extension data is not required for clients, so the
the @code{dns_name} and @code{ip_address} fields are not included.
The @code{tls_www_client} keyword is the key purpose extension to indicate
this certificate is intended for usage in a web client. Although QEMU
network clients are not in fact HTTP clients, setting this key purpose is
still recommended. The @code{encryption_key} and @code{signing_key} keyword
is the key usage extension to indicate this certificate is intended for
usage in the data session.

The @code{client-hostNNN-key.pem} and @code{client-hostNNN-cert.pem} files
should now be securely copied to the client for which they were generated,
and renamed to @code{client-key.pem} and @code{client-cert.pem} when added
to the @code{/etc/pki/qemu} directory on the target host. The @code{client-key.pem}
file is security sensitive and should be kept protected with file mode 0600
to prevent disclosure.

If a single host is going to be using TLS in both a client and server
role, it is possible to create a single certificate to cover both roles.
This would be quite common for the migration and NBD services, where a
QEMU process will be started by accepting a TLS protected incoming migration,
and later itself be migrated out to another host. To generate a single
certificate, simply include the template data from both the client and server
instructions in one.

@example
# cat > both-hostNNN.info <<EOF
country = GB
state = London
locality = City Of London
organization = Name of your organization
cn = hostNNN.foo.example.com
dns_name = hostNNN
dns_name = hostNNN.foo.example.com
ip_address = 10.0.1.87
ip_address = 192.8.0.92
ip_address = 2620:0:cafe::87
ip_address = 2001:24::92
tls_www_server
tls_www_client
encryption_key
signing_key
EOF
# certtool --generate-privkey > both-hostNNN-key.pem
# certtool --generate-certificate \
           --load-ca-certificate ca-cert.pem \
           --load-ca-privkey ca-key.pem \
           --load-privkey both-hostNNN-key.pem \
           --template both-hostNNN.info \
           --outfile both-hostNNN-cert.pem
@end example

When copying the PEM files to the target host, save them twice,
once as @code{server-cert.pem} and @code{server-key.pem}, and
again as @code{client-cert.pem} and @code{client-key.pem}.

@node tls_creds_setup
@subsection TLS x509 credential configuration

QEMU has a standard mechanism for loading x509 credentials that will be
used for network services and clients. It requires specifying the
@code{tls-creds-x509} class name to the @code{--object} command line
argument for the system emulators.  Each set of credentials loaded should
be given a unique string identifier via the @code{id} parameter. A single
set of TLS credentials can be used for multiple network backends, so VNC,
migration, NBD, character devices can all share the same credentials. Note,
however, that credentials for use in a client endpoint must be loaded
separately from those used in a server endpoint.

When specifying the object, the @code{dir} parameters specifies which
directory contains the credential files. This directory is expected to
contain files with the names mentioned previously, @code{ca-cert.pem},
@code{server-key.pem}, @code{server-cert.pem}, @code{client-key.pem}
and @code{client-cert.pem} as appropriate. It is also possible to
include a set of pre-generated Diffie-Hellman (DH) parameters in a file
@code{dh-params.pem}, which can be created using the
@code{certtool --generate-dh-params} command. If omitted, QEMU will
dynamically generate DH parameters when loading the credentials.

The @code{endpoint} parameter indicates whether the credentials will
be used for a network client or server, and determines which PEM
files are loaded.

The @code{verify} parameter determines whether x509 certificate
validation should be performed. This defaults to enabled, meaning
clients will always validate the server hostname against the
certificate subject alt name fields and/or CN field. It also
means that servers will request that clients provide a certificate
and validate them. Verification should never be turned off for
client endpoints, however, it may be turned off for server endpoints
if an alternative mechanism is used to authenticate clients. For
example, the VNC server can use SASL to authenticate clients
instead.

To load server credentials with client certificate validation
enabled

@example
$QEMU -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server
@end example

while to load client credentials use

@example
$QEMU -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=client
@end example

Network services which support TLS will all have a @code{tls-creds}
parameter which expects the ID of the TLS credentials object. For
example with VNC:

@example
$QEMU -vnc 0.0.0.0:0,tls-creds=tls0
@end example

@node tls_psk
@subsection TLS Pre-Shared Keys (PSK)

Instead of using certificates, you may also use TLS Pre-Shared Keys
(TLS-PSK).  This can be simpler to set up than certificates but is
less scalable.

Use the GnuTLS @code{psktool} program to generate a @code{keys.psk}
file containing one or more usernames and random keys:

@example
mkdir -m 0700 /tmp/keys
psktool -u rich -p /tmp/keys/keys.psk
@end example

TLS-enabled servers such as qemu-nbd can use this directory like so:

@example
qemu-nbd \
  -t -x / \
  --object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
  --tls-creds tls0 \
  image.qcow2
@end example

When connecting from a qemu-based client you must specify the
directory containing @code{keys.psk} and an optional @var{username}
(defaults to ``qemu''):

@example
qemu-img info \
  --object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rich,endpoint=client \
  --image-opts \
  file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
@end example

@node gdb_usage
@section GDB usage

QEMU has a primitive support to work with gdb, so that you can do
'Ctrl-C' while the virtual machine is running and inspect its state.

In order to use gdb, launch QEMU with the '-s' option. It will wait for a
gdb connection:
@example
qemu-system-i386 -s -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \
                    -append "root=/dev/hda"
Connected to host network interface: tun0
Waiting gdb connection on port 1234
@end example

Then launch gdb on the 'vmlinux' executable:
@example
> gdb vmlinux
@end example

In gdb, connect to QEMU:
@example
(gdb) target remote localhost:1234
@end example

Then you can use gdb normally. For example, type 'c' to launch the kernel:
@example
(gdb) c
@end example

Here are some useful tips in order to use gdb on system code:

@enumerate
@item
Use @code{info reg} to display all the CPU registers.
@item
Use @code{x/10i $eip} to display the code at the PC position.
@item
Use @code{set architecture i8086} to dump 16 bit code. Then use
@code{x/10i $cs*16+$eip} to dump the code at the PC position.
@end enumerate

Advanced debugging options:

The default single stepping behavior is step with the IRQs and timer service routines off.  It is set this way because when gdb executes a single step it expects to advance beyond the current instruction.  With the IRQs and timer service routines on, a single step might jump into the one of the interrupt or exception vectors instead of executing the current instruction. This means you may hit the same breakpoint a number of times before executing the instruction gdb wants to have executed.  Because there are rare circumstances where you want to single step into an interrupt vector the behavior can be controlled from GDB.  There are three commands you can query and set the single step behavior:
@table @code
@item maintenance packet qqemu.sstepbits

This will display the MASK bits used to control the single stepping IE:
@example
(gdb) maintenance packet qqemu.sstepbits
sending: "qqemu.sstepbits"
received: "ENABLE=1,NOIRQ=2,NOTIMER=4"
@end example
@item maintenance packet qqemu.sstep

This will display the current value of the mask used when single stepping IE:
@example
(gdb) maintenance packet qqemu.sstep
sending: "qqemu.sstep"
received: "0x7"
@end example
@item maintenance packet Qqemu.sstep=HEX_VALUE

This will change the single step mask, so if wanted to enable IRQs on the single step, but not timers, you would use:
@example
(gdb) maintenance packet Qqemu.sstep=0x5
sending: "qemu.sstep=0x5"
received: "OK"
@end example
@end table

@node pcsys_os_specific
@section Target OS specific information

@subsection Linux

To have access to SVGA graphic modes under X11, use the @code{vesa} or
the @code{cirrus} X11 driver. For optimal performances, use 16 bit
color depth in the guest and the host OS.

When using a 2.6 guest Linux kernel, you should add the option
@code{clock=pit} on the kernel command line because the 2.6 Linux
kernels make very strict real time clock checks by default that QEMU
cannot simulate exactly.

When using a 2.6 guest Linux kernel, verify that the 4G/4G patch is
not activated because QEMU is slower with this patch. The QEMU
Accelerator Module is also much slower in this case. Earlier Fedora
Core 3 Linux kernel (< 2.6.9-1.724_FC3) were known to incorporate this
patch by default. Newer kernels don't have it.

@subsection Windows

If you have a slow host, using Windows 95 is better as it gives the
best speed. Windows 2000 is also a good choice.

@subsubsection SVGA graphic modes support

QEMU emulates a Cirrus Logic GD5446 Video
card. All Windows versions starting from Windows 95 should recognize
and use this graphic card. For optimal performances, use 16 bit color
depth in the guest and the host OS.

If you are using Windows XP as guest OS and if you want to use high
resolution modes which the Cirrus Logic BIOS does not support (i.e. >=
1280x1024x16), then you should use the VESA VBE virtual graphic card
(option @option{-std-vga}).

@subsubsection CPU usage reduction

Windows 9x does not correctly use the CPU HLT
instruction. The result is that it takes host CPU cycles even when
idle. You can install the utility from
@url{https://web.archive.org/web/20060212132151/http://www.user.cityline.ru/~maxamn/amnhltm.zip}
to solve this problem. Note that no such tool is needed for NT, 2000 or XP.

@subsubsection Windows 2000 disk full problem

Windows 2000 has a bug which gives a disk full problem during its
installation. When installing it, use the @option{-win2k-hack} QEMU
option to enable a specific workaround. After Windows 2000 is
installed, you no longer need this option (this option slows down the
IDE transfers).

@subsubsection Windows 2000 shutdown

Windows 2000 cannot automatically shutdown in QEMU although Windows 98
can. It comes from the fact that Windows 2000 does not automatically
use the APM driver provided by the BIOS.

In order to correct that, do the following (thanks to Struan
Bartlett): go to the Control Panel => Add/Remove Hardware & Next =>
Add/Troubleshoot a device => Add a new device & Next => No, select the
hardware from a list & Next => NT Apm/Legacy Support & Next => Next
(again) a few times. Now the driver is installed and Windows 2000 now
correctly instructs QEMU to shutdown at the appropriate moment.

@subsubsection Share a directory between Unix and Windows

See @ref{sec_invocation} about the help of the option
@option{'-netdev user,smb=...'}.

@subsubsection Windows XP security problem

Some releases of Windows XP install correctly but give a security
error when booting:
@example
A problem is preventing Windows from accurately checking the
license for this computer. Error code: 0x800703e6.
@end example

The workaround is to install a service pack for XP after a boot in safe
mode. Then reboot, and the problem should go away. Since there is no
network while in safe mode, its recommended to download the full
installation of SP1 or SP2 and transfer that via an ISO or using the
vvfat block device ("-hdb fat:directory_which_holds_the_SP").

@subsection MS-DOS and FreeDOS

@subsubsection CPU usage reduction

DOS does not correctly use the CPU HLT instruction. The result is that
it takes host CPU cycles even when idle. You can install the utility from
@url{https://web.archive.org/web/20051222085335/http://www.vmware.com/software/dosidle210.zip}
to solve this problem.

@node QEMU System emulator for non PC targets
@chapter QEMU System emulator for non PC targets

QEMU is a generic emulator and it emulates many non PC
machines. Most of the options are similar to the PC emulator. The
differences are mentioned in the following sections.

@menu
* PowerPC System emulator::
* Sparc32 System emulator::
* Sparc64 System emulator::
* MIPS System emulator::
* ARM System emulator::
* ColdFire System emulator::
* Cris System emulator::
* Microblaze System emulator::
* SH4 System emulator::
* Xtensa System emulator::
@end menu

@node PowerPC System emulator
@section PowerPC System emulator
@cindex system emulation (PowerPC)

Use the executable @file{qemu-system-ppc} to simulate a complete PREP
or PowerMac PowerPC system.

QEMU emulates the following PowerMac peripherals:

@itemize @minus
@item
UniNorth or Grackle PCI Bridge
@item
PCI VGA compatible card with VESA Bochs Extensions
@item
2 PMAC IDE interfaces with hard disk and CD-ROM support
@item
NE2000 PCI adapters
@item
Non Volatile RAM
@item
VIA-CUDA with ADB keyboard and mouse.
@end itemize

QEMU emulates the following PREP peripherals:

@itemize @minus
@item
PCI Bridge
@item
PCI VGA compatible card with VESA Bochs Extensions
@item
2 IDE interfaces with hard disk and CD-ROM support
@item
Floppy disk
@item
NE2000 network adapters
@item
Serial port
@item
PREP Non Volatile RAM
@item
PC compatible keyboard and mouse.
@end itemize

QEMU uses the Open Hack'Ware Open Firmware Compatible BIOS available at
@url{http://perso.magic.fr/l_indien/OpenHackWare/index.htm}.

Since version 0.9.1, QEMU uses OpenBIOS @url{https://www.openbios.org/}
for the g3beige and mac99 PowerMac machines. OpenBIOS is a free (GPL
v2) portable firmware implementation. The goal is to implement a 100%
IEEE 1275-1994 (referred to as Open Firmware) compliant firmware.

@c man begin OPTIONS

The following options are specific to the PowerPC emulation:

@table @option

@item -g @var{W}x@var{H}[x@var{DEPTH}]

Set the initial VGA graphic mode. The default is 800x600x32.

@item -prom-env @var{string}

Set OpenBIOS variables in NVRAM, for example:

@example
qemu-system-ppc -prom-env 'auto-boot?=false' \
 -prom-env 'boot-device=hd:2,\yaboot' \
 -prom-env 'boot-args=conf=hd:2,\yaboot.conf'
@end example

These variables are not used by Open Hack'Ware.

@end table

@c man end


More information is available at
@url{http://perso.magic.fr/l_indien/qemu-ppc/}.

@node Sparc32 System emulator
@section Sparc32 System emulator
@cindex system emulation (Sparc32)

Use the executable @file{qemu-system-sparc} to simulate the following
Sun4m architecture machines:
@itemize @minus
@item
SPARCstation 4
@item
SPARCstation 5
@item
SPARCstation 10
@item
SPARCstation 20
@item
SPARCserver 600MP
@item
SPARCstation LX
@item
SPARCstation Voyager
@item
SPARCclassic
@item
SPARCbook
@end itemize

The emulation is somewhat complete. SMP up to 16 CPUs is supported,
but Linux limits the number of usable CPUs to 4.

QEMU emulates the following sun4m peripherals:

@itemize @minus
@item
IOMMU
@item
TCX or cgthree Frame buffer
@item
Lance (Am7990) Ethernet
@item
Non Volatile RAM M48T02/M48T08
@item
Slave I/O: timers, interrupt controllers, Zilog serial ports, keyboard
and power/reset logic
@item
ESP SCSI controller with hard disk and CD-ROM support
@item
Floppy drive (not on SS-600MP)
@item
CS4231 sound device (only on SS-5, not working yet)
@end itemize

The number of peripherals is fixed in the architecture.  Maximum
memory size depends on the machine type, for SS-5 it is 256MB and for
others 2047MB.

Since version 0.8.2, QEMU uses OpenBIOS
@url{https://www.openbios.org/}. OpenBIOS is a free (GPL v2) portable
firmware implementation. The goal is to implement a 100% IEEE
1275-1994 (referred to as Open Firmware) compliant firmware.

A sample Linux 2.6 series kernel and ram disk image are available on
the QEMU web site. There are still issues with NetBSD and OpenBSD, but
most kernel versions work. Please note that currently older Solaris kernels
don't work probably due to interface issues between OpenBIOS and
Solaris.

@c man begin OPTIONS

The following options are specific to the Sparc32 emulation:

@table @option

@item -g @var{W}x@var{H}x[x@var{DEPTH}]

Set the initial graphics mode. For TCX, the default is 1024x768x8 with the
option of 1024x768x24. For cgthree, the default is 1024x768x8 with the option
of 1152x900x8 for people who wish to use OBP.

@item -prom-env @var{string}

Set OpenBIOS variables in NVRAM, for example:

@example
qemu-system-sparc -prom-env 'auto-boot?=false' \
 -prom-env 'boot-device=sd(0,2,0):d' -prom-env 'boot-args=linux single'
@end example

@item -M [SS-4|SS-5|SS-10|SS-20|SS-600MP|LX|Voyager|SPARCClassic] [|SPARCbook]

Set the emulated machine type. Default is SS-5.

@end table

@c man end

@node Sparc64 System emulator
@section Sparc64 System emulator
@cindex system emulation (Sparc64)

Use the executable @file{qemu-system-sparc64} to simulate a Sun4u
(UltraSPARC PC-like machine), Sun4v (T1 PC-like machine), or generic
Niagara (T1) machine. The Sun4u emulator is mostly complete, being
able to run Linux, NetBSD and OpenBSD in headless (-nographic) mode. The
Sun4v emulator is still a work in progress.

The Niagara T1 emulator makes use of firmware and OS binaries supplied in the S10image/ directory
of the OpenSPARC T1 project @url{http://download.oracle.com/technetwork/systems/opensparc/OpenSPARCT1_Arch.1.5.tar.bz2}
and is able to boot the disk.s10hw2 Solaris image.
@example
qemu-system-sparc64 -M niagara -L /path-to/S10image/ \
                    -nographic -m 256 \
                    -drive if=pflash,readonly=on,file=/S10image/disk.s10hw2
@end example


QEMU emulates the following peripherals:

@itemize @minus
@item
UltraSparc IIi APB PCI Bridge
@item
PCI VGA compatible card with VESA Bochs Extensions
@item
PS/2 mouse and keyboard
@item
Non Volatile RAM M48T59
@item
PC-compatible serial ports
@item
2 PCI IDE interfaces with hard disk and CD-ROM support
@item
Floppy disk
@end itemize

@c man begin OPTIONS

The following options are specific to the Sparc64 emulation:

@table @option

@item -prom-env @var{string}

Set OpenBIOS variables in NVRAM, for example:

@example
qemu-system-sparc64 -prom-env 'auto-boot?=false'
@end example

@item -M [sun4u|sun4v|niagara]

Set the emulated machine type. The default is sun4u.

@end table

@c man end

@node MIPS System emulator
@section MIPS System emulator
@cindex system emulation (MIPS)

@menu
* nanoMIPS System emulator ::
@end menu

Four executables cover simulation of 32 and 64-bit MIPS systems in
both endian options, @file{qemu-system-mips}, @file{qemu-system-mipsel}
@file{qemu-system-mips64} and @file{qemu-system-mips64el}.
Five different machine types are emulated:

@itemize @minus
@item
A generic ISA PC-like machine "mips"
@item
The MIPS Malta prototype board "malta"
@item
An ACER Pica "pica61". This machine needs the 64-bit emulator.
@item
MIPS emulator pseudo board "mipssim"
@item
A MIPS Magnum R4000 machine "magnum". This machine needs the 64-bit emulator.
@end itemize

The generic emulation is supported by Debian 'Etch' and is able to
install Debian into a virtual disk image. The following devices are
emulated:

@itemize @minus
@item
A range of MIPS CPUs, default is the 24Kf
@item
PC style serial port
@item
PC style IDE disk
@item
NE2000 network card
@end itemize

The Malta emulation supports the following devices:

@itemize @minus
@item
Core board with MIPS 24Kf CPU and Galileo system controller
@item
PIIX4 PCI/USB/SMbus controller
@item
The Multi-I/O chip's serial device
@item
PCI network cards (PCnet32 and others)
@item
Malta FPGA serial device
@item
Cirrus (default) or any other PCI VGA graphics card
@end itemize

The Boston board emulation supports the following devices:

@itemize @minus
@item
Xilinx FPGA, which includes a PCIe root port and an UART
@item
Intel EG20T PCH connects the I/O peripherals, but only the SATA bus is emulated
@end itemize

The ACER Pica emulation supports:

@itemize @minus
@item
MIPS R4000 CPU
@item
PC-style IRQ and DMA controllers
@item
PC Keyboard
@item
IDE controller
@end itemize

The MIPS Magnum R4000 emulation supports:

@itemize @minus
@item
MIPS R4000 CPU
@item
PC-style IRQ controller
@item
PC Keyboard
@item
SCSI controller
@item
G364 framebuffer
@end itemize

The Fulong 2E emulation supports:

@itemize @minus
@item
Loongson 2E CPU
@item
Bonito64 system controller as North Bridge
@item
VT82C686 chipset as South Bridge
@item
RTL8139D as a network card chipset
@end itemize

The mipssim pseudo board emulation provides an environment similar
to what the proprietary MIPS emulator uses for running Linux.
It supports:

@itemize @minus
@item
A range of MIPS CPUs, default is the 24Kf
@item
PC style serial port
@item
MIPSnet network emulation
@end itemize

@node nanoMIPS System emulator
@subsection nanoMIPS System emulator
@cindex system emulation (nanoMIPS)

Executable @file{qemu-system-mipsel} also covers simulation of
32-bit nanoMIPS system in little endian mode:

@itemize @minus
@item
nanoMIPS I7200 CPU
@end itemize

Example of @file{qemu-system-mipsel} usage for nanoMIPS is shown below:

Download @code{<disk_image_file>} from @url{https://mipsdistros.mips.com/LinuxDistro/nanomips/buildroot/index.html}.

Download @code{<kernel_image_file>} from @url{https://mipsdistros.mips.com/LinuxDistro/nanomips/kernels/v4.15.18-432-gb2eb9a8b07a1-20180627102142/index.html}.

Start system emulation of Malta board with nanoMIPS I7200 CPU:
@example
qemu-system-mipsel -cpu I7200 -kernel @code{<kernel_image_file>} \
    -M malta -serial stdio -m @code{<memory_size>} -hda @code{<disk_image_file>} \
    -append "mem=256m@@0x0 rw console=ttyS0 vga=cirrus vesa=0x111 root=/dev/sda"
@end example


@node ARM System emulator
@section ARM System emulator
@cindex system emulation (ARM)

Use the executable @file{qemu-system-arm} to simulate a ARM
machine. The ARM Integrator/CP board is emulated with the following
devices:

@itemize @minus
@item
ARM926E, ARM1026E, ARM946E, ARM1136 or Cortex-A8 CPU
@item
Two PL011 UARTs
@item
SMC 91c111 Ethernet adapter
@item
PL110 LCD controller
@item
PL050 KMI with PS/2 keyboard and mouse.
@item
PL181 MultiMedia Card Interface with SD card.
@end itemize

The ARM Versatile baseboard is emulated with the following devices:

@itemize @minus
@item
ARM926E, ARM1136 or Cortex-A8 CPU
@item
PL190 Vectored Interrupt Controller
@item
Four PL011 UARTs
@item
SMC 91c111 Ethernet adapter
@item
PL110 LCD controller
@item
PL050 KMI with PS/2 keyboard and mouse.
@item
PCI host bridge.  Note the emulated PCI bridge only provides access to
PCI memory space.  It does not provide access to PCI IO space.
This means some devices (eg. ne2k_pci NIC) are not usable, and others
(eg. rtl8139 NIC) are only usable when the guest drivers use the memory
mapped control registers.
@item
PCI OHCI USB controller.
@item
LSI53C895A PCI SCSI Host Bus Adapter with hard disk and CD-ROM devices.
@item
PL181 MultiMedia Card Interface with SD card.
@end itemize

Several variants of the ARM RealView baseboard are emulated,
including the EB, PB-A8 and PBX-A9.  Due to interactions with the
bootloader, only certain Linux kernel configurations work out
of the box on these boards.

Kernels for the PB-A8 board should have CONFIG_REALVIEW_HIGH_PHYS_OFFSET
enabled in the kernel, and expect 512M RAM.  Kernels for The PBX-A9 board
should have CONFIG_SPARSEMEM enabled, CONFIG_REALVIEW_HIGH_PHYS_OFFSET
disabled and expect 1024M RAM.

The following devices are emulated:

@itemize @minus
@item
ARM926E, ARM1136, ARM11MPCore, Cortex-A8 or Cortex-A9 MPCore CPU
@item
ARM AMBA Generic/Distributed Interrupt Controller
@item
Four PL011 UARTs
@item
SMC 91c111 or SMSC LAN9118 Ethernet adapter
@item
PL110 LCD controller
@item
PL050 KMI with PS/2 keyboard and mouse
@item
PCI host bridge
@item
PCI OHCI USB controller
@item
LSI53C895A PCI SCSI Host Bus Adapter with hard disk and CD-ROM devices
@item
PL181 MultiMedia Card Interface with SD card.
@end itemize

The XScale-based clamshell PDA models ("Spitz", "Akita", "Borzoi"
and "Terrier") emulation includes the following peripherals:

@itemize @minus
@item
Intel PXA270 System-on-chip (ARM V5TE core)
@item
NAND Flash memory
@item
IBM/Hitachi DSCM microdrive in a PXA PCMCIA slot - not in "Akita"
@item
On-chip OHCI USB controller
@item
On-chip LCD controller
@item
On-chip Real Time Clock
@item
TI ADS7846 touchscreen controller on SSP bus
@item
Maxim MAX1111 analog-digital converter on I@math{^2}C bus
@item
GPIO-connected keyboard controller and LEDs
@item
Secure Digital card connected to PXA MMC/SD host
@item
Three on-chip UARTs
@item
WM8750 audio CODEC on I@math{^2}C and I@math{^2}S busses
@end itemize

The Palm Tungsten|E PDA (codename "Cheetah") emulation includes the
following elements:

@itemize @minus
@item
Texas Instruments OMAP310 System-on-chip (ARM 925T core)
@item
ROM and RAM memories (ROM firmware image can be loaded with -option-rom)
@item
On-chip LCD controller
@item
On-chip Real Time Clock
@item
TI TSC2102i touchscreen controller / analog-digital converter / Audio
CODEC, connected through MicroWire and I@math{^2}S busses
@item
GPIO-connected matrix keypad
@item
Secure Digital card connected to OMAP MMC/SD host
@item
Three on-chip UARTs
@end itemize

Nokia N800 and N810 internet tablets (known also as RX-34 and RX-44 / 48)
emulation supports the following elements:

@itemize @minus
@item
Texas Instruments OMAP2420 System-on-chip (ARM 1136 core)
@item
RAM and non-volatile OneNAND Flash memories
@item
Display connected to EPSON remote framebuffer chip and OMAP on-chip
display controller and a LS041y3 MIPI DBI-C controller
@item
TI TSC2301 (in N800) and TI TSC2005 (in N810) touchscreen controllers
driven through SPI bus
@item
National Semiconductor LM8323-controlled qwerty keyboard driven
through I@math{^2}C bus
@item
Secure Digital card connected to OMAP MMC/SD host
@item
Three OMAP on-chip UARTs and on-chip STI debugging console
@item
A Bluetooth(R) transceiver and HCI connected to an UART
@item
Mentor Graphics "Inventra" dual-role USB controller embedded in a TI
TUSB6010 chip - only USB host mode is supported
@item
TI TMP105 temperature sensor driven through I@math{^2}C bus
@item
TI TWL92230C power management companion with an RTC on I@math{^2}C bus
@item
Nokia RETU and TAHVO multi-purpose chips with an RTC, connected
through CBUS
@end itemize

The Luminary Micro Stellaris LM3S811EVB emulation includes the following
devices:

@itemize @minus
@item
Cortex-M3 CPU core.
@item
64k Flash and 8k SRAM.
@item
Timers, UARTs, ADC and I@math{^2}C interface.
@item
OSRAM Pictiva 96x16 OLED with SSD0303 controller on I@math{^2}C bus.
@end itemize

The Luminary Micro Stellaris LM3S6965EVB emulation includes the following
devices:

@itemize @minus
@item
Cortex-M3 CPU core.
@item
256k Flash and 64k SRAM.
@item
Timers, UARTs, ADC, I@math{^2}C and SSI interfaces.
@item
OSRAM Pictiva 128x64 OLED with SSD0323 controller connected via SSI.
@end itemize

The Freecom MusicPal internet radio emulation includes the following
elements:

@itemize @minus
@item
Marvell MV88W8618 ARM core.
@item
32 MB RAM, 256 KB SRAM, 8 MB flash.
@item
Up to 2 16550 UARTs
@item
MV88W8xx8 Ethernet controller
@item
MV88W8618 audio controller, WM8750 CODEC and mixer
@item
128×64 display with brightness control
@item
2 buttons, 2 navigation wheels with button function
@end itemize

The Siemens SX1 models v1 and v2 (default) basic emulation.
The emulation includes the following elements:

@itemize @minus
@item
Texas Instruments OMAP310 System-on-chip (ARM 925T core)
@item
ROM and RAM memories (ROM firmware image can be loaded with -pflash)
V1
1 Flash of 16MB and 1 Flash of 8MB
V2
1 Flash of 32MB
@item
On-chip LCD controller
@item
On-chip Real Time Clock
@item
Secure Digital card connected to OMAP MMC/SD host
@item
Three on-chip UARTs
@end itemize

A Linux 2.6 test image is available on the QEMU web site. More
information is available in the QEMU mailing-list archive.

@c man begin OPTIONS

The following options are specific to the ARM emulation:

@table @option

@item -semihosting
Enable semihosting syscall emulation.

On ARM this implements the "Angel" interface.

Note that this allows guest direct access to the host filesystem,
so should only be used with trusted guest OS.

@end table

@c man end

@node ColdFire System emulator
@section ColdFire System emulator
@cindex system emulation (ColdFire)
@cindex system emulation (M68K)

Use the executable @file{qemu-system-m68k} to simulate a ColdFire machine.
The emulator is able to boot a uClinux kernel.

The M5208EVB emulation includes the following devices:

@itemize @minus
@item
MCF5208 ColdFire V2 Microprocessor (ISA A+ with EMAC).
@item
Three Two on-chip UARTs.
@item
Fast Ethernet Controller (FEC)
@end itemize

The AN5206 emulation includes the following devices:

@itemize @minus
@item
MCF5206 ColdFire V2 Microprocessor.
@item
Two on-chip UARTs.
@end itemize

@c man begin OPTIONS

The following options are specific to the ColdFire emulation:

@table @option

@item -semihosting
Enable semihosting syscall emulation.

On M68K this implements the "ColdFire GDB" interface used by libgloss.

Note that this allows guest direct access to the host filesystem,
so should only be used with trusted guest OS.

@end table

@c man end

@node Cris System emulator
@section Cris System emulator
@cindex system emulation (Cris)

TODO

@node Microblaze System emulator
@section Microblaze System emulator
@cindex system emulation (Microblaze)

TODO

@node SH4 System emulator
@section SH4 System emulator
@cindex system emulation (SH4)

TODO

@node Xtensa System emulator
@section Xtensa System emulator
@cindex system emulation (Xtensa)

Two executables cover simulation of both Xtensa endian options,
@file{qemu-system-xtensa} and @file{qemu-system-xtensaeb}.
Two different machine types are emulated:

@itemize @minus
@item
Xtensa emulator pseudo board "sim"
@item
Avnet LX60/LX110/LX200 board
@end itemize

The sim pseudo board emulation provides an environment similar
to one provided by the proprietary Tensilica ISS.
It supports:

@itemize @minus
@item
A range of Xtensa CPUs, default is the DC232B
@item
Console and filesystem access via semihosting calls
@end itemize

The Avnet LX60/LX110/LX200 emulation supports:

@itemize @minus
@item
A range of Xtensa CPUs, default is the DC232B
@item
16550 UART
@item
OpenCores 10/100 Mbps Ethernet MAC
@end itemize

@c man begin OPTIONS

The following options are specific to the Xtensa emulation:

@table @option

@item -semihosting
Enable semihosting syscall emulation.

Xtensa semihosting provides basic file IO calls, such as open/read/write/seek/select.
Tensilica baremetal libc for ISS and linux platform "sim" use this interface.

Note that this allows guest direct access to the host filesystem,
so should only be used with trusted guest OS.

@end table

@c man end

@node QEMU Guest Agent
@chapter QEMU Guest Agent invocation

@include qemu-ga.texi

@node QEMU User space emulator
@chapter QEMU User space emulator

@menu
* Supported Operating Systems ::
* Features::
* Linux User space emulator::
* BSD User space emulator ::
@end menu

@node Supported Operating Systems
@section Supported Operating Systems

The following OS are supported in user space emulation:

@itemize @minus
@item
Linux (referred as qemu-linux-user)
@item
BSD (referred as qemu-bsd-user)
@end itemize

@node Features
@section Features

QEMU user space emulation has the following notable features:

@table @strong
@item System call translation:
QEMU includes a generic system call translator.  This means that
the parameters of the system calls can be converted to fix
endianness and 32/64-bit mismatches between hosts and targets.
IOCTLs can be converted too.

@item POSIX signal handling:
QEMU can redirect to the running program all signals coming from
the host (such as @code{SIGALRM}), as well as synthesize signals from
virtual CPU exceptions (for example @code{SIGFPE} when the program
executes a division by zero).

QEMU relies on the host kernel to emulate most signal system
calls, for example to emulate the signal mask.  On Linux, QEMU
supports both normal and real-time signals.

@item Threading:
On Linux, QEMU can emulate the @code{clone} syscall and create a real
host thread (with a separate virtual CPU) for each emulated thread.
Note that not all targets currently emulate atomic operations correctly.
x86 and ARM use a global lock in order to preserve their semantics.
@end table

QEMU was conceived so that ultimately it can emulate itself. Although
it is not very useful, it is an important test to show the power of the
emulator.

@node Linux User space emulator
@section Linux User space emulator

@menu
* Quick Start::
* Wine launch::
* Command line options::
* Other binaries::
@end menu

@node Quick Start
@subsection Quick Start

In order to launch a Linux process, QEMU needs the process executable
itself and all the target (x86) dynamic libraries used by it.

@itemize

@item On x86, you can just try to launch any process by using the native
libraries:

@example
qemu-i386 -L / /bin/ls
@end example

@code{-L /} tells that the x86 dynamic linker must be searched with a
@file{/} prefix.

@item Since QEMU is also a linux process, you can launch QEMU with
QEMU (NOTE: you can only do that if you compiled QEMU from the sources):

@example
qemu-i386 -L / qemu-i386 -L / /bin/ls
@end example

@item On non x86 CPUs, you need first to download at least an x86 glibc
(@file{qemu-runtime-i386-XXX-.tar.gz} on the QEMU web page). Ensure that
@code{LD_LIBRARY_PATH} is not set:

@example
unset LD_LIBRARY_PATH
@end example

Then you can launch the precompiled @file{ls} x86 executable:

@example
qemu-i386 tests/i386/ls
@end example
You can look at @file{scripts/qemu-binfmt-conf.sh} so that
QEMU is automatically launched by the Linux kernel when you try to
launch x86 executables. It requires the @code{binfmt_misc} module in the
Linux kernel.

@item The x86 version of QEMU is also included. You can try weird things such as:
@example
qemu-i386 /usr/local/qemu-i386/bin/qemu-i386 \
          /usr/local/qemu-i386/bin/ls-i386
@end example

@end itemize

@node Wine launch
@subsection Wine launch

@itemize

@item Ensure that you have a working QEMU with the x86 glibc
distribution (see previous section). In order to verify it, you must be
able to do:

@example
qemu-i386 /usr/local/qemu-i386/bin/ls-i386
@end example

@item Download the binary x86 Wine install
(@file{qemu-XXX-i386-wine.tar.gz} on the QEMU web page).

@item Configure Wine on your account. Look at the provided script
@file{/usr/local/qemu-i386/@/bin/wine-conf.sh}. Your previous
@code{$@{HOME@}/.wine} directory is saved to @code{$@{HOME@}/.wine.org}.

@item Then you can try the example @file{putty.exe}:

@example
qemu-i386 /usr/local/qemu-i386/wine/bin/wine \
          /usr/local/qemu-i386/wine/c/Program\ Files/putty.exe
@end example

@end itemize

@node Command line options
@subsection Command line options

@example
@command{qemu-i386} [@option{-h]} [@option{-d]} [@option{-L} @var{path}] [@option{-s} @var{size}] [@option{-cpu} @var{model}] [@option{-g} @var{port}] [@option{-B} @var{offset}] [@option{-R} @var{size}] @var{program} [@var{arguments}...]
@end example

@table @option
@item -h
Print the help
@item -L path
Set the x86 elf interpreter prefix (default=/usr/local/qemu-i386)
@item -s size
Set the x86 stack size in bytes (default=524288)
@item -cpu model
Select CPU model (-cpu help for list and additional feature selection)
@item -E @var{var}=@var{value}
Set environment @var{var} to @var{value}.
@item -U @var{var}
Remove @var{var} from the environment.
@item -B offset
Offset guest address by the specified number of bytes.  This is useful when
the address region required by guest applications is reserved on the host.
This option is currently only supported on some hosts.
@item -R size
Pre-allocate a guest virtual address space of the given size (in bytes).
"G", "M", and "k" suffixes may be used when specifying the size.
@end table

Debug options:

@table @option
@item -d item1,...
Activate logging of the specified items (use '-d help' for a list of log items)
@item -p pagesize
Act as if the host page size was 'pagesize' bytes
@item -g port
Wait gdb connection to port
@item -singlestep
Run the emulation in single step mode.
@end table

Environment variables:

@table @env
@item QEMU_STRACE
Print system calls and arguments similar to the 'strace' program
(NOTE: the actual 'strace' program will not work because the user
space emulator hasn't implemented ptrace).  At the moment this is
incomplete.  All system calls that don't have a specific argument
format are printed with information for six arguments.  Many
flag-style arguments don't have decoders and will show up as numbers.
@end table

@node Other binaries
@subsection Other binaries

@cindex user mode (Alpha)
@command{qemu-alpha} TODO.

@cindex user mode (ARM)
@command{qemu-armeb} TODO.

@cindex user mode (ARM)
@command{qemu-arm} is also capable of running ARM "Angel" semihosted ELF
binaries (as implemented by the arm-elf and arm-eabi Newlib/GDB
configurations), and arm-uclinux bFLT format binaries.

@cindex user mode (ColdFire)
@cindex user mode (M68K)
@command{qemu-m68k} is capable of running semihosted binaries using the BDM
(m5xxx-ram-hosted.ld) or m68k-sim (sim.ld) syscall interfaces, and
coldfire uClinux bFLT format binaries.

The binary format is detected automatically.

@cindex user mode (Cris)
@command{qemu-cris} TODO.

@cindex user mode (i386)
@command{qemu-i386} TODO.
@command{qemu-x86_64} TODO.

@cindex user mode (Microblaze)
@command{qemu-microblaze} TODO.

@cindex user mode (MIPS)
@command{qemu-mips} executes 32-bit big endian MIPS binaries (MIPS O32 ABI).

@command{qemu-mipsel} executes 32-bit little endian MIPS binaries (MIPS O32 ABI).

@command{qemu-mips64} executes 64-bit big endian MIPS binaries (MIPS N64 ABI).

@command{qemu-mips64el} executes 64-bit little endian MIPS binaries (MIPS N64 ABI).

@command{qemu-mipsn32} executes 32-bit big endian MIPS binaries (MIPS N32 ABI).

@command{qemu-mipsn32el} executes 32-bit little endian MIPS binaries (MIPS N32 ABI).

@cindex user mode (NiosII)
@command{qemu-nios2} TODO.

@cindex user mode (PowerPC)
@command{qemu-ppc64abi32} TODO.
@command{qemu-ppc64} TODO.
@command{qemu-ppc} TODO.

@cindex user mode (SH4)
@command{qemu-sh4eb} TODO.
@command{qemu-sh4} TODO.

@cindex user mode (SPARC)
@command{qemu-sparc} can execute Sparc32 binaries (Sparc32 CPU, 32 bit ABI).

@command{qemu-sparc32plus} can execute Sparc32 and SPARC32PLUS binaries
(Sparc64 CPU, 32 bit ABI).

@command{qemu-sparc64} can execute some Sparc64 (Sparc64 CPU, 64 bit ABI) and
SPARC32PLUS binaries (Sparc64 CPU, 32 bit ABI).

@node BSD User space emulator
@section BSD User space emulator

@menu
* BSD Status::
* BSD Quick Start::
* BSD Command line options::
@end menu

@node BSD Status
@subsection BSD Status

@itemize @minus
@item
target Sparc64 on Sparc64: Some trivial programs work.
@end itemize

@node BSD Quick Start
@subsection Quick Start

In order to launch a BSD process, QEMU needs the process executable
itself and all the target dynamic libraries used by it.

@itemize

@item On Sparc64, you can just try to launch any process by using the native
libraries:

@example
qemu-sparc64 /bin/ls
@end example

@end itemize

@node BSD Command line options
@subsection Command line options

@example
@command{qemu-sparc64} [@option{-h]} [@option{-d]} [@option{-L} @var{path}] [@option{-s} @var{size}] [@option{-bsd} @var{type}] @var{program} [@var{arguments}...]
@end example

@table @option
@item -h
Print the help
@item -L path
Set the library root path (default=/)
@item -s size
Set the stack size in bytes (default=524288)
@item -ignore-environment
Start with an empty environment. Without this option,
the initial environment is a copy of the caller's environment.
@item -E @var{var}=@var{value}
Set environment @var{var} to @var{value}.
@item -U @var{var}
Remove @var{var} from the environment.
@item -bsd type
Set the type of the emulated BSD Operating system. Valid values are
FreeBSD, NetBSD and OpenBSD (default).
@end table

Debug options:

@table @option
@item -d item1,...
Activate logging of the specified items (use '-d help' for a list of log items)
@item -p pagesize
Act as if the host page size was 'pagesize' bytes
@item -singlestep
Run the emulation in single step mode.
@end table

@node System requirements
@chapter System requirements

@section KVM kernel module

On x86_64 hosts, the default set of CPU features enabled by the KVM accelerator
require the host to be running Linux v4.5 or newer.

The OpteronG[345] CPU models require KVM support for RDTSCP, which was
added with Linux 4.5 which is supported by the major distros. And even
if RHEL7 has kernel 3.10, KVM there has the required functionality there
to make it close to a 4.5 or newer kernel.

@include docs/security.texi

@include qemu-tech.texi

@include qemu-deprecated.texi

@node Supported build platforms
@appendix Supported build platforms

QEMU aims to support building and executing on multiple host OS platforms.
This appendix outlines which platforms are the major build targets. These
platforms are used as the basis for deciding upon the minimum required
versions of 3rd party software QEMU depends on. The supported platforms
are the targets for automated testing performed by the project when patches
are submitted for review, and tested before and after merge.

If a platform is not listed here, it does not imply that QEMU won't work.
If an unlisted platform has comparable software versions to a listed platform,
there is every expectation that it will work. Bug reports are welcome for
problems encountered on unlisted platforms unless they are clearly older
vintage than what is described here.

Note that when considering software versions shipped in distros as support
targets, QEMU considers only the version number, and assumes the features in
that distro match the upstream release with the same version. In other words,
if a distro backports extra features to the software in their distro, QEMU
upstream code will not add explicit support for those backports, unless the
feature is auto-detectable in a manner that works for the upstream releases
too.

The Repology site @url{https://repology.org} is a useful resource to identify
currently shipped versions of software in various operating systems, though
it does not cover all distros listed below.

@section Linux OS

For distributions with frequent, short-lifetime releases, the project will
aim to support all versions that are not end of life by their respective
vendors. For the purposes of identifying supported software versions, the
project will look at Fedora, Ubuntu, and openSUSE distros. Other short-
lifetime distros will be assumed to ship similar software versions.

For distributions with long-lifetime releases, the project will aim to support
the most recent major version at all times. Support for the previous major
version will be dropped 2 years after the new major version is released. For
the purposes of identifying supported software versions, the project will look
at RHEL, Debian, Ubuntu LTS, and SLES distros. Other long-lifetime distros will
be assumed to ship similar software versions.

@section Windows

The project supports building with current versions of the MinGW toolchain,
hosted on Linux.

@section macOS

The project supports building with the two most recent versions of macOS, with
the current homebrew package set available.

@section FreeBSD

The project aims to support the all the versions which are not end of life.

@section NetBSD

The project aims to support the most recent major version at all times. Support
for the previous major version will be dropped 2 years after the new major
version is released.

@section OpenBSD

The project aims to support the all the versions which are not end of life.

@node License
@appendix License

QEMU is a trademark of Fabrice Bellard.

QEMU is released under the
@url{https://www.gnu.org/licenses/gpl-2.0.txt,GNU General Public License},
version 2. Parts of QEMU have specific licenses, see file
@url{https://git.qemu.org/?p=qemu.git;a=blob_plain;f=LICENSE,LICENSE}.

@node Index
@appendix Index
@menu
* Concept Index::
* Function Index::
* Keystroke Index::
* Program Index::
* Data Type Index::
* Variable Index::
@end menu

@node Concept Index
@section Concept Index
This is the main index. Should we combine all keywords in one index? TODO
@printindex cp

@node Function Index
@section Function Index
This index could be used for command line options and monitor functions.
@printindex fn

@node Keystroke Index
@section Keystroke Index

This is a list of all keystrokes which have a special function
in system emulation.

@printindex ky

@node Program Index
@section Program Index
@printindex pg

@node Data Type Index
@section Data Type Index

This index could be used for qdev device names and options.

@printindex tp

@node Variable Index
@section Variable Index
@printindex vr

@bye