QEMU was written by Fabrice Bellard and is free software, mainly licensed under the GNU General Public License (GPL for short). Various parts are released under the BSD license, GNU Lesser General Public License (LGPL) or other GPL-compatible licenses.^[5]

QEMU has multiple operating modes:^[6]

User-mode emulation

In this mode QEMU runs single Linux or Darwin/macOS programs that were compiled for a different instruction set. System calls are thunked for endianness and for 32/64 bit mismatches. Fast cross-compilation and cross-debugging are the main targets for user-mode emulation.

System emulation

In this mode QEMU emulates a full computer system, including peripherals. It can be used to provide virtual hosting of several virtual computers on a single computer. QEMU can boot many guest operating systems, including Linux, Solaris, Microsoft Windows, DOS, and BSD;^[7] it supports emulating several instruction sets, including x86, MIPS, 32-bit ARMv7, ARMv8, PowerPC, RISC-V, SPARC, ETRAX CRIS and MicroBlaze.

Hypervisor Support

In this mode QEMU either acts as a Virtual Machine Manager (VMM) or as a device emulation back-end for virtual machines running under a hypervisor. The most common is Linux's KVM but the project supports a number of hypervisors including Xen, Apple's HVF, Windows' WHPX and NetBSD's nvmm.^[8]

QEMU can save and restore the state of the virtual machine with all programs running. Guest operating systems do not need patching in order to run inside QEMU.

QEMU supports the emulation of various architectures, including x86, MIPS64 (up to Release 6),^[9] SPARC (sun4m and sun4u), ARM (Integrator/CP and Versatile/PB), SuperH, PowerPC (PReP and Power Macintosh), ETRAX CRIS, MicroBlaze, and RISC-V.

The virtual machine can interface with many types of physical host hardware, including the user's hard disks, CD-ROM drives, network cards, audio interfaces, and USB devices. USB devices can be completely emulated, or the host's USB devices can be used, although this requires administrator privileges and does not work with some devices.

Virtual disk images can be stored in a special format (qcow or qcow2) that only takes up as much disk space as the guest OS actually uses. This way, an emulated 120 GB disk may occupy only a few hundred megabytes on the host. The QCOW2 format also allows the creation of overlay images that record the difference from another (unmodified) base image file. This provides the possibility for reverting the emulated disk's contents to an earlier state. For example, a base image could hold a fresh install of an operating system that is known to work, and the overlay images are used. Should the guest system become unusable (through virus attack, accidental system destruction, etc.), the user can delete the overlay and use an earlier emulated disk image.

QEMU can emulate network cards (of different models) which share the host system's connectivity by doing network address translation, effectively allowing the guest to use the same network as the host. The virtual network cards can also connect to network cards of other instances of QEMU or to local TAP interfaces. Network connectivity can also be achieved by bridging a TUN/TAP interface used by QEMU with a non-virtual Ethernet interface on the host OS using the host OS's bridging features.

QEMU integrates several services to allow the host and guest systems to communicate; for example, an integrated SMB server and network-port redirection (to allow incoming connections to the virtual machine). It can also boot Linux kernels without a bootloader.

QEMU does not depend on the presence of graphical output methods on the host system. Instead, it can allow one to access the screen of the guest OS via an integrated VNC server. It can also use an emulated serial line, without any screen, with applicable operating systems.

Simulating multiple CPUs running SMP is possible.

QEMU does not require administrative rights to run unless additional kernel modules for improving speed (like KQEMU) are used or certain modes of its network connectivity model are utilized.

Tiny Code Generator edit

The Tiny Code Generator (TCG) aims to remove the shortcoming of relying on a particular version of GCC or any compiler, instead incorporating the compiler (code generator) into other tasks performed by QEMU at run time. The whole translation task thus consists of two parts: basic blocks of target code (TBs) being rewritten in TCG ops - a kind of machine-independent intermediate notation, and subsequently this notation being compiled for the host's architecture by TCG. Optional optimisation passes are performed between them, for a just-in-time compiler (JIT) mode.

TCG requires dedicated code written to support every architecture it runs on, so that the JIT knows what to translate the TCG ops to. If no dedicated JIT code is available for the architecture, TCG falls back to a slow interpreter mode called TCG Interpreter (TCI). It also requires updating the target code to use TCG ops instead of the old dyngen ops.

Starting with QEMU Version 0.10.0, TCG ships with the QEMU stable release. It replaces the dyngen, which relied on GCC 3.x to work.^[10][11]

Accelerator edit

KQEMU was a Linux kernel module, also written by Fabrice Bellard, which notably sped up emulation of x86 or x86-64 guests on platforms with the same CPU architecture. This worked by running user mode code (and optionally some kernel code) directly on the host computer's CPU, and by using processor and peripheral emulation only for kernel-mode and real-mode code. KQEMU could execute code from many guest OSes even if the host CPU did not support hardware-assisted virtualization. KQEMU was initially a closed-source product available free of charge, but starting from version 1.3.0pre10 (February 2007),^[12] it was relicensed under the GNU General Public License. QEMU versions starting with 0.12.0 (as of August 2009^[update]) support large memory which makes them incompatible with KQEMU.^[13] Newer releases of QEMU have completely removed support for KQEMU.

QVM86 was a GNU GPLv2 licensed drop-in replacement for the then closed-source KQEMU. The developers of QVM86 ceased development in January, 2007.

Kernel-based Virtual Machine (KVM) has mostly taken over as the Linux-based hardware-assisted virtualization solution for use with QEMU in the wake of the lack of support for KQEMU and QVM86.^{[citation needed]} QEMU can also use KVM on other architectures like ARM and MIPS.^[14]

Intel's Hardware Accelerated Execution Manager (HAXM) is an open-source alternative^[15] to KVM for x86-based hardware-assisted virtualization on NetBSD, Linux, Windows and macOS using Intel VT. As of 2013^[update] Intel mostly solicits its use with QEMU for Android development.^[16] Starting with version 2.9.0, the official QEMU includes support for HAXM, under the name hax.^[17]

QEMU also supports the following accelerators:^[17]

• hvf, Apple's Hypervisor.framework based on Intel VT.
• whpx, Microsoft's Windows Hypervisor Platform based on Intel VT or AMD-V.
• tcg, QEMU's own Tiny Code Generator. This is the default.

Supported disk image formats edit

QEMU supports the following disk image formats:^[18]

• macOS Universal Disk Image Format (.dmg) – Read-only
• Bochs – Read-only
• Linux cloop – Read-only
• Parallels disk image (.hdd, .hds) – Read-only
• QEMU copy-on-write (.qcow2, .qed, .qcow, .cow)
• VirtualBox Virtual Disk Image (.vdi)
• Virtual PC Virtual Hard Disk (.vhd)
• Virtual VFAT
• VMware Virtual Machine Disk (.vmdk)
• Raw images (.img) that contain sector-by-sector contents of a disk
• CD/DVD images (.iso) that contain sector-by-sector contents of an optical disk (e.g. booting live OSes)^[19]

QEMU Object Model edit

The QEMU Object Model (QOM) provides a framework for registering user creatable types and instantiating objects from those types.^[20]

QOM provides the following features:

• System for dynamically registering types
• Support for single-inheritance of types
• Multiple inheritance of stateless interfaces

Virtualization solutions that use QEMU are able to execute multiple virtual CPUs in parallel. For user-mode emulation QEMU maps emulated threads to host threads. For full system emulation, QEMU is capable of running a host thread for each emulated virtual CPU (vCPU). This is dependent on the guest having been updated to support parallel system emulation, currently ARM, Alpha, HP-PA, PowerPC, RISC-V, s390x, x86 and Xtensa. Otherwise a single thread is used to emulate all virtual CPUS (vCPUS) which executes each vCPU in a round-robin manner.

VirtualBox edit

VirtualBox, first released in January 2007, used some of QEMU's virtual hardware devices, and had a built-in dynamic recompiler based on QEMU. As with KQEMU, VirtualBox runs nearly all guest code natively on the host via the VMM (Virtual Machine Manager) and uses the recompiler only as a fallback mechanism - for example, when guest code executes in real mode.^[21] In addition, VirtualBox did a lot of code analysis and patching using a built-in disassembler in order to minimize recompilation. VirtualBox is free and open-source (available under GPL), except for certain features.

Xen-HVM edit

Xen, a virtual machine monitor, can run in HVM (hardware virtual machine) mode, using Intel VT-x or AMD-V hardware x86 virtualization extensions and ARM Cortex-A7 and Cortex-A15 virtualization extension.^[22] This means that instead of paravirtualized devices, a real set of virtual hardware is exposed to the domU to use real device drivers to talk to.

QEMU includes several components: CPU emulators, emulated devices, generic devices, machine descriptions, user interface, and a debugger. The emulated devices and generic devices in QEMU make up its device models for I/O virtualization.^[23] They comprise a PIIX3 IDE (with some rudimentary PIIX4 capabilities), Cirrus Logic or plain VGA emulated video, RTL8139 or E1000 network emulation, and ACPI support.^[24] APIC support is provided by Xen.

Xen-HVM has device emulation based on the QEMU project to provide I/O virtualization to the VMs. Hardware is emulated via a QEMU "device model" daemon running as a backend in dom0. Unlike other QEMU running modes (dynamic translation or KVM), virtual CPUs are completely managed to the hypervisor, which takes care of stopping them while QEMU is emulating memory-mapped I/O accesses.

KVM edit

KVM (Kernel-based Virtual Machine) is a FreeBSD and Linux kernel module that allows a user space program access to the hardware virtualization features of various processors, with which QEMU is able to offer virtualization for x86, PowerPC, and S/390 guests. When the target architecture is the same as the host architecture, QEMU can make use of KVM particular features, such as acceleration.

Win4Lin Pro Desktop edit

In early 2005, Win4Lin introduced Win4Lin Pro Desktop, based on a 'tuned' version of QEMU and KQEMU and it hosts NT-versions of Windows. In June 2006,^[25] Win4Lin released Win4Lin Virtual Desktop Server based on the same code base. Win4Lin Virtual Desktop Server serves Microsoft Windows sessions to thin clients from a Linux server.

In September 2006, Win4Lin announced a change of the company name to with the release of Win4BSD Pro Desktop, a port of the product to FreeBSD and PC-BSD. Solaris support followed in May 2007 with the release of Win4Solaris Pro Desktop and Win4Solaris Virtual Desktop Server.^[26]

SerialICE edit

SerialICE is a QEMU-based firmware debugging tool running system firmware inside of QEMU while accessing real hardware through a serial connection to a host system. This can be used as a cheap replacement for hardware in-circuit emulators (ICE).^[27]

WinUAE edit

WinUAE introduced support for the CyberStorm PPC and Blizzard 603e boards using the QEMU PPC core in version 3.0.0.^[28]

Unicorn edit

Unicorn is a CPU emulation framework based on QEMU's "TCG" CPU emulator. Unlike QEMU, Unicorn focuses on the CPU only: no emulation of any peripherals is provided and raw binary code (outside of the context of an executable file or a system image) can be run directly. Unicorn is thread-safe and has multiple bindings and instrumentation interfaces.^[29]

Limbo X86 PC Emulator edit

Limbo is an X86 and ARM64 virtual machine for Android based on QEMU^[30] It is one of the few pieces of virtual machine software available for Android capable of emulating Microsoft Windows,^[31] although it was designed to emulate Linux and DOS. Unlike other QEMU-based emulators, it does not require users to type commands to use, instead having a user interface to set the virtual machine's settings.

It is more popular in developing countries in Asia such as India, Malaysia, and Thailand on YouTube due to the popularity of the Android Operating System.^[32] Limbo was removed from the Google Play Store for unknown reasons between February 2019 and December 2020, through it can still be installed off the developers website with an APK (Android Package) installation.^[33] Limbo is known for having stuttery and laggy audio quality, and no known fixes have been found as of 2023.^[34] Limbo is generally unknown in popularity compared to other virtual machine software, making troubleshooting very difficult.

It is required to install a special application known as "Hacker's Keyboard" to use many keyboard functions that a basic Android keyboard cannot do in Limbo X86, such as the Ctrl, Alt, Del, and function keys.^[35] It is recommended to install Hacker's Keyboard with an APK file due to the Google Play Store stating it does not support newer Android versions, however with an APK file you can install Hacker's Keyboard on newer versions of Android.^[36]

x86 edit

Can emulate i386 and x86_64 architecture. Besides the CPU (which is also configurable and can emulate a number of Intel CPU models including (as of 3 March 2018) Sandy Bridge,^[37] Ivy Bridge,^[38] Haswell,^[39] Broadwell^[40][41] and Skylake^[39]), the following devices are emulated:

• CD/DVD-ROM drive using an ISO image
• Floppy disk drive
• ATA controller or Serial ATA AHCI controller
• Graphics card: Cirrus CLGD 5446 PCI VGA-card, Standard-VGA graphics card with Bochs-VBE, Red Hat QXL VGA
• Network card: Realtek 8139C+ PCI, NE2000 PCI, NE2000 ISA, PCnet, E1000 (PCI Intel Gigabit Ethernet) and E1000E (PCIe Intel Gigabit Ethernet)^[42][43]
• NVMe disk interface
• Serial port
• Parallel port
• PC speaker
• i440FX/PIIX3 or Q35/ICH9 chipsets
• PS/2 mouse and keyboard
• SCSI controller: LSI MegaRAID SAS 1078, LSI53C895A, NCR53C9x as found in the AMD PCscsi and Tekram DC-390 controllers
• Sound card: Sound Blaster 16, AudioPCI ES1370, ICH AC'97, Gravis Ultrasound, and Intel HD Audio^[44]
• Watchdog timer (Intel 6300 ESB PCI, or iB700 ISA)
• USB 1.x/2.x/3.x controllers (UHCI, EHCI, xHCI)
• USB devices: Audio, Bluetooth dongle, HID (keyboard/mouse/tablet), MTP, serial interface, CAC smartcard reader, storage (bulk-only transfer and USB Attached SCSI), Wacom tablet
• Paravirtualized VirtIO devices: block device, network card, SCSI controller, video device, serial interface, balloon driver, 9pfs filesystem driver
• Paravirtualized Xen devices: block device, network card, console, framebuffer and input device

The BIOS implementation used by QEMU starting from version 0.12 is SeaBIOS. The VGA BIOS implementation comes from Plex86/Bochs. The UEFI firmware for QEMU is OVMF.^[45]

PowerPC edit

PowerMac edit

QEMU emulates the following PowerMac peripherals:

• UniNorth PCI bridge
• PCI-VGA-compatible graphics card which maps the VESA Bochs Extensions
• Two PMAC-IDE-Interfaces with hard disk and CD-ROM support.
• NE2000 PCI adapter
• Non-volatile RAM
• VIA-CUDA with ADB keyboard and mouse.

OpenBIOS is used as the firmware.

PREP edit

QEMU emulates the following PREP peripherals:

• PCI bridge
• PCI VGA-compatible graphics card with VESA Bochs Extensions
• Two IDE interfaces with hard disk and CD-ROM support
• Floppy disk drive
• NE2000 network adapter
• Serial interface
• PREP non-volatile RAM
• PC-compatible keyboard and mouse

On the PREP target, Open Hack'Ware, an Open-Firmware-compatible BIOS, is used.

IBM System p edit

QEMU can emulate the paravirtual sPAPR interface with the following peripherals:

• PCI bridge, for access to virtio devices, VGA-compatible graphics, USB, etc.
• Virtual I/O network adapter, SCSI controller, and serial interface
• sPAPR non-volatile RAM

On the sPAPR target, another Open-Firmware-compatible BIOS is used, called SLOF.

ARM edit

ARM32 edit

QEMU emulates the ARMv7 instruction set (and down to ARMv5TEJ) with NEON extension.^[46] It emulates full systems like Integrator/CP board, Versatile baseboard, RealView Emulation baseboard, XScale-based PDAs, Palm Tungsten|E PDA, Nokia N800 and Nokia N810 Internet tablets etc. QEMU also powers the Android emulator which is part of the Android SDK (most current Android implementations are ARM-based). Starting from version 2.0.0 of their Bada SDK, Samsung has chosen QEMU to help development on emulated 'Wave' devices.

In 1.5.0 and 1.6.0 Samsung Exynos 4210 (dual-core Cortex-A9) and Versatile Express ARM Cortex-A9 ARM Cortex-A15 are emulated. In 1.6.0, the 32-bit instructions of the ARMv8 (AArch64) architecture are emulated, but 64-bit instructions are unsupported.

The Xilinx Cortex A9-based Zynq SoC is modeled, with the following elements:

• Zynq-7000 ARM Cortex-A9 CPU
• Zynq-7000 ARM Cortex-A9 MPCore
• Triple Timer Counter
• DDR Memory Controller
• DMA Controller (PL330)
• Static Memory Controller (NAND/NOR Flash)
• SD/SDIO Peripheral Controller (SDHCI)
• Zynq Gigabit Ethernet Controller
• USB Controller (EHCI - Host support only)
• Zynq UART Controller
• SPI and QSPI Controllers
• I2C Controller

ARM64 edit

SPARC edit

QEMU has support for both 32- and 64-bit SPARC architectures.

When the firmware in the JavaStation (sun4m-Architecture) became version 0.8.1 Proll,^[47] a PROM replacement used in version 0.8.2, was replaced with OpenBIOS.

SPARC32 edit

QEMU emulates the following sun4m/sun4c/sun4d peripherals:

• IOMMU or IO-UNITs
• TCX Frame buffer (graphics card)
• Lance (Am7990) Ethernet
• Non-volatile RAM M48T02/M48T08
• Slave I/O: timers, interrupt controllers, Zilog serial ports, keyboard and power/reset logic
• ESP SCSI controller with hard disk and CD-ROM support
• Floppy drive (not on SS-600MP)
• CS4231 sound device (only on SS-5, not working yet)

SPARC64 edit

Emulating Sun4u (UltraSPARC PC-like machine), Sun4v (T1 PC-like machine), or generic Niagara (T1) machine with the following peripherals:

• UltraSparc IIi APB PCI Bridge
• PCI VGA-compatible card with VESA Bochs Extensions
• PS/2 mouse and keyboard
• Non-volatile RAM M48T59
• PC-compatible serial ports
• 2 PCI IDE interfaces with hard disk and CD-ROM support
• Floppy disk

MicroBlaze edit

Supported peripherals:

• MicroBlaze with/without MMU, including
• AXI Timer and Interrupt controller peripherals
• AXI External Memory Controller
• AXI DMA Controller
• Xilinx AXI Ethernet
• AXI Ethernet Lite
• AXI UART 16650 and UARTLite
• AXI SPI Controller

LatticeMico32 edit

Supported peripherals: From the Milkymist SoC

• UART
• VGA
• Memory card
• Ethernet
• pfu
• timer

CRIS edit

OpenRISC edit

Others edit

External trees exist, supporting the following targets:

• Zilog Z80^[48] emulating a 48K ZX Spectrum
• HP PA-RISC^[49]

• qcow
• Comparison of platform virtualization software
• Mtools
• OVPsim
• Q
• SIMH
• SPIM
• GXemul
• GNOME Boxes

• Official website  
• QEMU documentation
• an IBM developerWorks article by M. Tim Jones
• QVM86 project page
• Debian on an emulated ARM machine
• Fedora ARM port emulation with QEMU
• (in German, or computer translated to English)
• QEMU on Windows
• QEMU Binaries for Windows
• Microblaze emulation with QEMU
• UnifiedSessionsManager - An unofficial QEMU/KVM configuration file definition
• Couverture, a code coverage project based on QEMU