1QEMU(1)                              QEMU                              QEMU(1)
2
3
4

NAME

6       qemu - QEMU User Documentation
7

SYNOPSIS

9          qemu-system-x86_64 [options] [disk_image]
10

DESCRIPTION

12       The QEMU PC System emulator simulates the following peripherals:
13
14       • i440FX host PCI bridge and PIIX3 PCI to ISA bridge
15
16       • Cirrus  CLGD  5446 PCI VGA card or dummy VGA card with Bochs VESA ex‐
17         tensions (hardware level, including all non standard modes).
18
19       • PS/2 mouse and keyboard
20
21       • 2 PCI IDE interfaces with hard disk and CD-ROM support
22
23       • Floppy disk
24
25       • PCI and ISA network adapters
26
27       • Serial ports
28
29       • IPMI BMC, either and internal or external one
30
31       • Creative SoundBlaster 16 sound card
32
33       • ENSONIQ AudioPCI ES1370 sound card
34
35       • Intel 82801AA AC97 Audio compatible sound card
36
37       • Intel HD Audio Controller and HDA codec
38
39       • Adlib (OPL2) - Yamaha YM3812 compatible chip
40
41       • Gravis Ultrasound GF1 sound card
42
43       • CS4231A compatible sound card
44
45       • PC speaker
46
47       • PCI UHCI, OHCI, EHCI or XHCI USB controller  and  a  virtual  USB-1.1
48         hub.
49
50       SMP is supported with up to 255 CPUs.
51
52       QEMU  uses  the  PC  BIOS from the Seabios project and the Plex86/Bochs
53       LGPL VGA BIOS.
54
55       QEMU uses YM3812 emulation by Tatsuyuki Satoh.
56
57       QEMU uses GUS emulation (GUSEMU32 http://www.deinmeister.de/gusemu/) by
58       Tibor "TS" Schütz.
59
60       Note  that,  by  default,  GUS shares IRQ(7) with parallel ports and so
61       QEMU must be told to not have parallel ports to have working GUS.
62
63          qemu-system-x86_64 dos.img -device gus -parallel none
64
65       Alternatively:
66
67          qemu-system-x86_64 dos.img -device gus,irq=5
68
69       Or some other unclaimed IRQ.
70
71       CS4231A is the chip used in Windows Sound System and GUSMAX products
72
73       The PC speaker audio device can be configured using the  pcspk-audiodev
74       machine property, i.e.
75
76          qemu-system-x86_64 some.img -audiodev <backend>,id=<name> -machine pcspk-audiodev=<name>
77

OPTIONS

79       disk_image  is  a raw hard disk image for IDE hard disk 0. Some targets
80       do not need a disk image.
81
82   Standard options
83       -h     Display help and exit
84
85       -version
86              Display version information and exit
87
88       -machine [type=]name[,prop=value[,...]]
89              Select the emulated machine by name. Use -machine help  to  list
90              available machines.
91
92              For  architectures  which aim to support live migration compati‐
93              bility across releases, each release will introduce a  new  ver‐
94              sioned  machine  type. For example, the 2.8.0 release introduced
95              machine  types  "pc-i440fx-2.8"   and   "pc-q35-2.8"   for   the
96              x86_64/i686 architectures.
97
98              To  allow  live  migration of guests from QEMU version 2.8.0, to
99              QEMU  version  2.9.0,  the  2.9.0  version  must   support   the
100              "pc-i440fx-2.8"  and  "pc-q35-2.8"  machines too. To allow users
101              live migrating VMs to skip multiple intermediate  releases  when
102              upgrading,  new releases of QEMU will support machine types from
103              many previous versions.
104
105              Supported machine properties are:
106
107              accel=accels1[:accels2[:...]]
108                     This is used to enable an accelerator. Depending  on  the
109                     target  architecture,  kvm,  xen, hax, hvf, nvmm, whpx or
110                     tcg can be available.  By default, tcg is used. If  there
111                     is  more  than one accelerator specified, the next one is
112                     used if the previous one fails to initialize.
113
114              vmport=on|off|auto
115                     Enables emulation of VMWare IO  port,  for  vmmouse  etc.
116                     auto  says  to  select  the value based on accel. For ac‐
117                     cel=xen the default is off otherwise the default is on.
118
119              dump-guest-core=on|off
120                     Include guest memory in a core dump. The default is on.
121
122              mem-merge=on|off
123                     Enables or disables memory merge support.  This  feature,
124                     when  supported by the host, de-duplicates identical mem‐
125                     ory pages among VMs instances (enabled by default).
126
127              aes-key-wrap=on|off
128                     Enables or disables AES key wrapping support on  s390-ccw
129                     hosts.   This  feature controls whether AES wrapping keys
130                     will be created to allow execution of  AES  cryptographic
131                     functions. The default is on.
132
133              dea-key-wrap=on|off
134                     Enables  or disables DEA key wrapping support on s390-ccw
135                     hosts.  This feature controls whether DEA  wrapping  keys
136                     will  be  created to allow execution of DEA cryptographic
137                     functions. The default is on.
138
139              nvdimm=on|off
140                     Enables or disables NVDIMM support. The default is off.
141
142              memory-encryption=
143                     Memory encryption object to use. The default is none.
144
145              hmat=on|off
146                     Enables or disables ACPI Heterogeneous  Memory  Attribute
147                     Table (HMAT) support. The default is off.
148
149              memory-backend='id'
150                     An  alternative  to legacy -mem-path and mem-prealloc op‐
151                     tions.  Allows to use a memory backend as main RAM.
152
153                     For example:
154
155                        -object memory-backend-file,id=pc.ram,size=512M,mem-path=/hugetlbfs,prealloc=on,share=on
156                        -machine memory-backend=pc.ram
157                        -m 512M
158
159                     Migration compatibility note:
160
161                     • as backend id one shall use value of  'default-ram-id',
162                       advertised  by  machine  type  (available via query-ma‐
163                       chines QMP command),  if  migration  to/from  old  QEMU
164                       (<5.0) is expected.
165
166                     • for  machine  types  4.0  and  older,  user  shall  use
167                       x-use-canonical-path-for-ramblock-id=off backend option
168                       if migration to/from old QEMU (<5.0) is expected.
169
170                     For example:
171
172                        -object memory-backend-ram,id=pc.ram,size=512M,x-use-canonical-path-for-ramblock-id=off
173                        -machine memory-backend=pc.ram
174                        -m 512M
175
176              cxl-fmw.0.targets.0=firsttarget,cxl-fmw.0.targets.1=secondtar‐
177              get,cxl-fmw.0.size=size[,cxl-fmw.0.interleave-granularity=granu‐
178              larity]
179                     Define a CXL Fixed Memory Window (CFMW).
180
181                     Described in the CXL 2.0 ECN: CEDT CFMWS & QTG _DSM.
182
183                     They  are  regions  of Host Physical Addresses (HPA) on a
184                     system which may be interleaved across one  or  more  CXL
185                     host bridges.  The system software will assign particular
186                     devices into these windows and configure  the  downstream
187                     Host-managed  Device Memory (HDM) decoders in root ports,
188                     switch ports and devices appropriately to meet the inter‐
189                     leave requirements before enabling the memory devices.
190
191                     targets.X=target provides the mapping to CXL host bridges
192                     which may be identified by the id provided in the -device
193                     entry.   Multiple  entries  are needed to specify all the
194                     targets when the fixed memory  window  represents  inter‐
195                     leaved memory. X is the target index from 0.
196
197                     size=size  sets the size of the CFMW. This must be a mul‐
198                     tiple of 256MiB. The region will be aligned to 256MiB but
199                     the location is platform and configuration dependent.
200
201                     interleave-granularity=granularity  sets  the granularity
202                     of  interleave.  Default  256KiB.  Only  256KiB,  512KiB,
203                     1024KiB, 2048KiB 4096KiB, 8192KiB and 16384KiB granulari‐
204                     ties supported.
205
206                     Example:
207
208                        -machine cxl-fmw.0.targets.0=cxl.0,cxl-fmw.0.targets.1=cxl.1,cxl-fmw.0.size=128G,cxl-fmw.0.interleave-granularity=512k
209
210       sgx-epc.0.memdev=@var{memid},sgx-epc.0.node=@var{numaid}
211              Define an SGX EPC section.
212
213       -cpu model
214              Select CPU model (-cpu help for list and additional feature  se‐
215              lection)
216
217       -accel name[,prop=value[,...]]
218              This  is  used to enable an accelerator. Depending on the target
219              architecture, kvm, xen, hax, hvf,  nvmm,  whpx  or  tcg  can  be
220              available.  By  default,  tcg is used. If there is more than one
221              accelerator specified, the next one is used if the previous  one
222              fails to initialize.
223
224              igd-passthru=on|off
225                     When  Xen  is  in use, this option controls whether Intel
226                     integrated graphics devices can be passed through to  the
227                     guest (default=off)
228
229              kernel-irqchip=on|off|split
230                     Controls  KVM  in-kernel  irqchip support. The default is
231                     full acceleration of the interrupt controllers.  On  x86,
232                     split  irqchip  reduces  the  kernel attack surface, at a
233                     performance cost for non-MSI  interrupts.  Disabling  the
234                     in-kernel  irqchip  completely  is not recommended except
235                     for debugging purposes.
236
237              kvm-shadow-mem=size
238                     Defines the size of the KVM shadow MMU.
239
240              one-insn-per-tb=on|off
241                     Makes the TCG accelerator put only one guest  instruction
242                     into  each translation block. This slows down emulation a
243                     lot, but can be useful in some situations, such  as  when
244                     trying to analyse the logs produced by the -d option.
245
246              split-wx=on|off
247                     Controls  the  use  of split w^x mapping for the TCG code
248                     generation buffer. Some operating systems require this to
249                     be  enabled,  and in such a case this will default on. On
250                     other operating systems, this will default off,  but  one
251                     may enable this for testing or debugging.
252
253              tb-size=n
254                     Controls  the  size (in MiB) of the TCG translation block
255                     cache.
256
257              thread=single|multi
258                     Controls  number  of  TCG  threads.  When  the   TCG   is
259                     multi-threaded  there  will be one thread per vCPU there‐
260                     fore taking advantage of additional host cores.  The  de‐
261                     fault   is  to  enable  multi-threading  where  both  the
262                     back-end and front-ends support it  and  no  incompatible
263                     TCG features have been enabled (e.g.  icount/replay).
264
265              dirty-ring-size=n
266                     When the KVM accelerator is used, it controls the size of
267                     the per-vCPU dirty page ring buffer  (number  of  entries
268                     for  each  vCPU).  It  should be a value that is power of
269                     two, and it should be 1024 or bigger (but still less than
270                     the  maximum value that the kernel supports).  4096 could
271                     be a good initial value if you have no idea which is  the
272                     best.   Set  this  value to 0 to disable the feature.  By
273                     default, this feature  is  disabled  (dirty-ring-size=0).
274                     When  enabled,  KVM  will instead record dirty pages in a
275                     bitmap.
276
277              notify-vmexit=run|internal-error|disable,notify-window=n
278                     Enables or disables notify VM exit support  on  x86  host
279                     and  specify  the  corresponding notify window to trigger
280                     the VM exit if enabled.  run option enables the  feature.
281                     It  does nothing and continue if the exit happens. inter‐
282                     nal-error option enables the feature.  It raises a inter‐
283                     nal  error.  disable  option  doesn't enable the feature.
284                     This feature can mitigate the  CPU  stuck  issue  due  to
285                     event windows don't open up for a specified of time (i.e.
286                     notify-window).   Default:  notify-vmexit=run,notify-win‐
287                     dow=0.
288
289       -smp  [[cpus=]n][,maxcpus=maxcpus][,sockets=sockets][,dies=dies][,clus‐
290       ters=clusters][,cores=cores][,threads=threads]
291              Simulate a SMP system with 'n' CPUs initially present on the ma‐
292              chine type board. On boards supporting CPU hotplug, the optional
293              'maxcpus' parameter can be set to  enable  further  CPUs  to  be
294              added  at runtime. When both parameters are omitted, the maximum
295              number of CPUs will be calculated  from  the  provided  topology
296              members and the initial CPU count will match the maximum number.
297              When only one of them is given then the omitted one will be  set
298              to  its  counterpart's value.  Both parameters may be specified,
299              but the maximum number of CPUs must be equal to or greater  than
300              the  initial  CPU  count.  Product of the CPU topology hierarchy
301              must be equal to the maximum number of  CPUs.   Both  parameters
302              are subject to an upper limit that is determined by the specific
303              machine type chosen.
304
305              To control reporting of CPU topology information, values of  the
306              topology  parameters can be specified. Machines may only support
307              a subset of the parameters and different machines may have  dif‐
308              ferent subsets supported which vary depending on capacity of the
309              corresponding CPU targets. So  for  a  particular  machine  type
310              board, an expected topology hierarchy can be defined through the
311              supported sub-option. Unsupported parameters can  also  be  pro‐
312              vided  in  addition  to the sub-option, but their values must be
313              set as 1 in the purpose of correct parsing.
314
315              Either the initial CPU count, or at least one  of  the  topology
316              parameters  must  be specified. The specified parameters must be
317              greater than zero, explicit configuration like "cpus=0"  is  not
318              allowed. Values for any omitted parameters will be computed from
319              those which are given.
320
321              For example, the following sub-option defines a CPU topology hi‐
322              erarchy (2 sockets totally on the machine, 2 cores per socket, 2
323              threads per  core)  for  a  machine  that  only  supports  sock‐
324              ets/cores/threads.   Some  members  of the option can be omitted
325              but their values will be automatically computed:
326
327                 -smp 8,sockets=2,cores=2,threads=2,maxcpus=8
328
329              The following sub-option defines a  CPU  topology  hierarchy  (2
330              sockets  totally  on the machine, 2 dies per socket, 2 cores per
331              die, 2 threads per core) for PC  machines  which  support  sock‐
332              ets/dies/cores/threads.  Some members of the option can be omit‐
333              ted but their values will be automatically computed:
334
335                 -smp 16,sockets=2,dies=2,cores=2,threads=2,maxcpus=16
336
337              The following sub-option defines a  CPU  topology  hierarchy  (2
338              sockets  totally  on the machine, 2 clusters per socket, 2 cores
339              per cluster, 2 threads per core) for  ARM  virt  machines  which
340              support sockets/clusters /cores/threads. Some members of the op‐
341              tion can be omitted but their values will be automatically  com‐
342              puted:
343
344                 -smp 16,sockets=2,clusters=2,cores=2,threads=2,maxcpus=16
345
346              Historically  preference  was given to the coarsest topology pa‐
347              rameters when computing missing  values  (ie  sockets  preferred
348              over  cores,  which  were preferred over threads), however, this
349              behaviour is considered liable to change. Prior to 6.2 the pref‐
350              erence  was sockets over cores over threads. Since 6.2 the pref‐
351              erence is cores over sockets over threads.
352
353              For example, the following option defines a machine board with 2
354              sockets of 1 core before 6.2 and 1 socket of 2 cores after 6.2:
355
356                 -smp 2
357
358              Note:  The  cluster  topology will only be generated in ACPI and
359              exposed to guest if it's explicitly specified in -smp.
360
361       -numa  node[,mem=size][,cpus=firstcpu[-lastcpu]][,nodeid=node][,initia‐
362       tor=initiator]
363
364
365       -numa node[,memdev=id][,cpus=firstcpu[-lastcpu]][,nodeid=node][,initia‐
366       tor=initiator]
367
368
369       -numa dist,src=source,dst=destination,val=distance
370
371
372       -numa cpu,node-id=node[,socket-id=x][,core-id=y][,thread-id=z]
373
374
375       -numa              hmat-lb,initiator=node,target=node,hierarchy=hierar‐
376       chy,data-type=type[,latency=lat][,bandwidth=bw]
377
378
379       -numa        hmat-cache,node-id=node,size=size,level=level[,associativ‐
380       ity=str][,policy=str][,line=size]
381              Define a NUMA node and assign RAM and VCPUs to it. Set the  NUMA
382              distance  from a source node to a destination node. Set the ACPI
383              Heterogeneous Memory Attributes for the given nodes.
384
385              Legacy VCPU assignment uses 'cpus'  option  where  firstcpu  and
386              lastcpu are CPU indexes. Each 'cpus' option represent a contigu‐
387              ous range of CPU indexes (or a single VCPU if lastcpu  is  omit‐
388              ted).  A  non-contiguous set of VCPUs can be represented by pro‐
389              viding multiple 'cpus' options. If  'cpus'  is  omitted  on  all
390              nodes, VCPUs are automatically split between them.
391
392              For example, the following option assigns VCPUs 0, 1, 2 and 5 to
393              a NUMA node:
394
395                 -numa node,cpus=0-2,cpus=5
396
397              'cpu' option is a new alternative to 'cpus'  option  which  uses
398              'socket-id|core-id|thread-id'  properties  to assign CPU objects
399              to a node using topology layout properties of CPU.  The  set  of
400              properties  is  machine  specific,  and  depends on used machine
401              type/'smp' options. It could be queried with 'hotpluggable-cpus'
402              monitor  command. 'node-id' property specifies node to which CPU
403              object will be assigned, it's required for node to  be  declared
404              with 'node' option before it's used with 'cpu' option.
405
406              For example:
407
408                 -M pc \
409                 -smp 1,sockets=2,maxcpus=2 \
410                 -numa node,nodeid=0 -numa node,nodeid=1 \
411                 -numa cpu,node-id=0,socket-id=0 -numa cpu,node-id=1,socket-id=1
412
413              'memdev'  option  assigns RAM from a given memory backend device
414              to a node. It is recommended to use 'memdev' option over  legacy
415              'mem'  option.  This  is because 'memdev' option provides better
416              performance and more control over the backend's RAM (e.g.  'pre‐
417              alloc' parameter of '-memory-backend-ram' allows memory preallo‐
418              cation).
419
420              For compatibility reasons, legacy 'mem' option is  supported  in
421              5.0  and  older  machine types. Note that 'mem' and 'memdev' are
422              mutually exclusive. If one node uses 'memdev',  the  rest  nodes
423              have to use 'memdev' option, and vice versa.
424
425              Users  must  specify  memory  for all NUMA nodes by 'memdev' (or
426              legacy 'mem' if available). In QEMU 5.2, the support for  '-numa
427              node' without memory specified was removed.
428
429              'initiator'  is an additional option that points to an initiator
430              NUMA node that has  best  performance  (the  lowest  latency  or
431              largest  bandwidth) to this NUMA node. Note that this option can
432              be set only when the machine property 'hmat' is set to 'on'.
433
434              Following example creates a machine with 2 NUMA  nodes,  node  0
435              has  CPU.  node  1 has only memory, and its initiator is node 0.
436              Note that because node 0 has CPU, by default  the  initiator  of
437              node 0 is itself and must be itself.
438
439                 -machine hmat=on \
440                 -m 2G,slots=2,maxmem=4G \
441                 -object memory-backend-ram,size=1G,id=m0 \
442                 -object memory-backend-ram,size=1G,id=m1 \
443                 -numa node,nodeid=0,memdev=m0 \
444                 -numa node,nodeid=1,memdev=m1,initiator=0 \
445                 -smp 2,sockets=2,maxcpus=2  \
446                 -numa cpu,node-id=0,socket-id=0 \
447                 -numa cpu,node-id=0,socket-id=1
448
449              source  and  destination are NUMA node IDs. distance is the NUMA
450              distance from source to destination. The distance from a node to
451              itself  is  always 10. If any pair of nodes is given a distance,
452              then all pairs must be given distances. Although, when distances
453              are only given in one direction for each pair of nodes, then the
454              distances in the opposite directions are assumed to be the same.
455              If, however, an asymmetrical pair of distances is given for even
456              one node pair, then all node pairs  must  be  provided  distance
457              values for both directions, even when they are symmetrical. When
458              a node is unreachable from another node, set the pair's distance
459              to 255.
460
461              Note that the -numa option doesn't allocate any of the specified
462              resources, it just assigns existing  resources  to  NUMA  nodes.
463              This means that one still has to use the -m, -smp options to al‐
464              locate RAM and VCPUs respectively.
465
466              Use 'hmat-lb' to set System Locality Latency and  Bandwidth  In‐
467              formation  between  initiator and target NUMA nodes in ACPI Het‐
468              erogeneous Attribute Memory Table (HMAT).  Initiator  NUMA  node
469              can  create  memory requests, usually it has one or more proces‐
470              sors.  Target NUMA node contains addressable memory.
471
472              In 'hmat-lb' option, node are NUMA node IDs.  hierarchy  is  the
473              memory  hierarchy of the target NUMA node: if hierarchy is 'mem‐
474              ory', the structure represents the memory performance; if  hier‐
475              archy  is 'first-level|second-level|third-level', this structure
476              represents aggregated performance of memory side caches for each
477              domain.  type of 'data-type' is type of data represented by this
478              structure instance: if 'hierarchy' is 'memory',  'data-type'  is
479              'access|read|write'  latency or 'access|read|write' bandwidth of
480              the  target  memory;   if   'hierarchy'   is   'first-level|sec‐
481              ond-level|third-level',  'data-type'  is 'access|read|write' hit
482              latency or 'access|read|write' hit bandwidth of the target  mem‐
483              ory side cache.
484
485              lat  is latency value in nanoseconds. bw is bandwidth value, the
486              possible value and units are NUM[M|G|T], mean that the bandwidth
487              value  are  NUM byte per second (or MB/s, GB/s or TB/s depending
488              on used suffix). Note that if latency or bandwidth value  is  0,
489              means  the corresponding latency or bandwidth information is not
490              provided.
491
492              In 'hmat-cache' option, node-id is the NUMA-id of the memory be‐
493              longs.  size is the size of memory side cache in bytes. level is
494              the cache level described in this structure, note that the cache
495              level  0  should not be used with 'hmat-cache' option.  associa‐
496              tivity  is  the  cache  associativity,  the  possible  value  is
497              'none/direct(direct-mapped)/complex(complex   cache  indexing)'.
498              policy is the write policy. line  is  the  cache  Line  size  in
499              bytes.
500
501              For example, the following options describe 2 NUMA nodes. Node 0
502              has 2 cpus and a ram, node 1 has only a ram. The  processors  in
503              node  0  access  memory in node 0 with access-latency 5 nanosec‐
504              onds, access-bandwidth is 200 MB/s; The processors in NUMA  node
505              0  access  memory in NUMA node 1 with access-latency 10 nanosec‐
506              onds, access-bandwidth is 100 MB/s. And for  memory  side  cache
507              information,  NUMA  node 0 and 1 both have 1 level memory cache,
508              size is 10KB, policy is write-back, the cache  Line  size  is  8
509              bytes:
510
511                 -machine hmat=on \
512                 -m 2G \
513                 -object memory-backend-ram,size=1G,id=m0 \
514                 -object memory-backend-ram,size=1G,id=m1 \
515                 -smp 2,sockets=2,maxcpus=2 \
516                 -numa node,nodeid=0,memdev=m0 \
517                 -numa node,nodeid=1,memdev=m1,initiator=0 \
518                 -numa cpu,node-id=0,socket-id=0 \
519                 -numa cpu,node-id=0,socket-id=1 \
520                 -numa hmat-lb,initiator=0,target=0,hierarchy=memory,data-type=access-latency,latency=5 \
521                 -numa hmat-lb,initiator=0,target=0,hierarchy=memory,data-type=access-bandwidth,bandwidth=200M \
522                 -numa hmat-lb,initiator=0,target=1,hierarchy=memory,data-type=access-latency,latency=10 \
523                 -numa hmat-lb,initiator=0,target=1,hierarchy=memory,data-type=access-bandwidth,bandwidth=100M \
524                 -numa hmat-cache,node-id=0,size=10K,level=1,associativity=direct,policy=write-back,line=8 \
525                 -numa hmat-cache,node-id=1,size=10K,level=1,associativity=direct,policy=write-back,line=8
526
527       -add-fd fd=fd,set=set[,opaque=opaque]
528              Add a file descriptor to an fd set. Valid options are:
529
530              fd=fd  This option defines the file descriptor of which a dupli‐
531                     cate is added to fd set. The file  descriptor  cannot  be
532                     stdin, stdout, or stderr.
533
534              set=set
535                     This  option defines the ID of the fd set to add the file
536                     descriptor to.
537
538              opaque=opaque
539                     This option defines a free-form string that can  be  used
540                     to describe fd.
541
542              You  can open an image using pre-opened file descriptors from an
543              fd set:
544
545                 qemu-system-x86_64 \
546                  -add-fd fd=3,set=2,opaque="rdwr:/path/to/file" \
547                  -add-fd fd=4,set=2,opaque="rdonly:/path/to/file" \
548                  -drive file=/dev/fdset/2,index=0,media=disk
549
550       -set group.id.arg=value
551              Set parameter arg for item id of type group
552
553       -global driver.prop=value
554
555
556       -global driver=driver,property=property,value=value
557              Set default value of driver's property prop to value, e.g.:
558
559                 qemu-system-x86_64 -global ide-hd.physical_block_size=4096 disk-image.img
560
561              In particular, you can use this to set driver properties for de‐
562              vices  which  are created automatically by the machine model. To
563              create a device which is not created automatically and set prop‐
564              erties on it, use -device.
565
566              -global    driver.prop=value    is    shorthand    for   -global
567              driver=driver,property=prop,value=value.  The  longhand   syntax
568              works even when driver contains a dot.
569
570       -boot                                                              [or‐
571       der=drives][,once=drives][,menu=on|off][,splash=sp_name][,splash-time=sp_time][,re‐
572       boot-timeout=rb_timeout][,strict=on|off]
573              Specify  boot  order  drives as a string of drive letters. Valid
574              drive letters depend on the  target  architecture.  The  x86  PC
575              uses:  a,  b  (floppy  1  and  2), c (first hard disk), d (first
576              CD-ROM), n-p (Etherboot from network  adapter  1-4),  hard  disk
577              boot  is  the default.  To apply a particular boot order only on
578              the first startup, specify it via once. Note that the  order  or
579              once  parameter  should  not be used together with the bootindex
580              property of devices, since the firmware implementations normally
581              do not support both at the same time.
582
583              Interactive boot menus/prompts can be enabled via menu=on as far
584              as firmware/BIOS supports them. The default  is  non-interactive
585              boot.
586
587              A  splash picture could be passed to bios, enabling user to show
588              it as logo, when option splash=sp_name is given and menu=on,  If
589              firmware/BIOS  supports  them.  Currently Seabios for X86 system
590              support it. limitation: The splash file could be a jpeg file  or
591              a  BMP  file in 24 BPP format(true color). The resolution should
592              be supported by the SVGA mode, so the  recommended  is  320x240,
593              640x480, 800x640.
594
595              A timeout could be passed to bios, guest will pause for rb_time‐
596              out ms when boot failed, then reboot.  If  rb_timeout  is  '-1',
597              guest will not reboot, qemu passes '-1' to bios by default. Cur‐
598              rently Seabios for X86 system support it.
599
600              Do strict boot via strict=on as far  as  firmware/BIOS  supports
601              it. This only effects when boot priority is changed by bootindex
602              options. The default is non-strict boot.
603
604                 # try to boot from network first, then from hard disk
605                 qemu-system-x86_64 -boot order=nc
606                 # boot from CD-ROM first, switch back to default order after reboot
607                 qemu-system-x86_64 -boot once=d
608                 # boot with a splash picture for 5 seconds.
609                 qemu-system-x86_64 -boot menu=on,splash=/root/boot.bmp,splash-time=5000
610
611              Note: The legacy format '-boot drives' is  still  supported  but
612              its  use  is  discouraged  as it may be removed from future ver‐
613              sions.
614
615       -m [size=]megs[,slots=n,maxmem=size]
616              Sets guest startup RAM size to megs megabytes.  Default  is  128
617              MiB.   Optionally, a suffix of "M" or "G" can be used to signify
618              a value in megabytes or gigabytes  respectively.  Optional  pair
619              slots, maxmem could be used to set amount of hotpluggable memory
620              slots and maximum amount of memory. Note  that  maxmem  must  be
621              aligned to the page size.
622
623              For  example,  the following command-line sets the guest startup
624              RAM size to 1GB, creates 3 slots to  hotplug  additional  memory
625              and sets the maximum memory the guest can reach to 4GB:
626
627                 qemu-system-x86_64 -m 1G,slots=3,maxmem=4G
628
629              If  slots  and maxmem are not specified, memory hotplug won't be
630              enabled and the guest startup RAM will never increase.
631
632       -mem-path path
633              Allocate guest RAM from a temporarily created file in path.
634
635       -mem-prealloc
636              Preallocate memory when using -mem-path.
637
638       -k language
639              Use keyboard layout language (for example fr for  French).  This
640              option  is  only  needed where it is not easy to get raw PC key‐
641              codes (e.g. on Macs, with some X11 servers  or  with  a  VNC  or
642              curses  display).  You don't normally need to use it on PC/Linux
643              or PC/Windows hosts.
644
645              The available layouts are:
646
647                 ar  de-ch  es  fo     fr-ca  hu  ja  mk     no  pt-br  sv
648                 da  en-gb  et  fr     fr-ch  is  lt  nl     pl  ru     th
649                 de  en-us  fi  fr-be  hr     it  lv  nl-be  pt  sl     tr
650
651              The default is en-us.
652
653       -audio-help
654              Will show the -audiodev equivalent of  the  currently  specified
655              (deprecated) environment variables.
656
657       -audio [driver=]driver,model=value[,prop[=value][,...]]
658              This  option  is a shortcut for configuring both the guest audio
659              hardware and the host audio backend in one go.  The  driver  op‐
660              tion  is the same as with the corresponding -audiodev option be‐
661              low.  The guest hardware model can be set with model=modelname.
662
663              Use driver=help to list the available drivers, and model=help to
664              list the available device types.
665
666              The  following two example do exactly the same, to show how -au‐
667              dio can be used to shorten the command line length:
668
669                 qemu-system-x86_64 -audiodev pa,id=pa -device sb16,audiodev=pa
670                 qemu-system-x86_64 -audio pa,model=sb16
671
672       -audiodev [driver=]driver,id=id[,prop[=value][,...]]
673              Adds a new audio backend driver  identified  by  id.  There  are
674              global  and  driver  specific properties. Some values can be set
675              differently for input and output, they're marked  with  in|out..
676              You  can  set the input's property with in.prop and the output's
677              property with out.prop. For example:
678
679                 -audiodev alsa,id=example,in.frequency=44110,out.frequency=8000
680                 -audiodev alsa,id=example,out.channels=1 # leaves in.channels unspecified
681
682              NOTE: parameter validation is known to be  incomplete,  in  many
683              cases specifying an invalid option causes QEMU to print an error
684              message and continue emulation without sound.
685
686              Valid global options are:
687
688              id=identifier
689                     Identifies the audio backend.
690
691              timer-period=period
692                     Sets the timer period used by the audio subsystem in  mi‐
693                     croseconds. Default is 10000 (10 ms).
694
695              in|out.mixing-engine=on|off
696                     Use  QEMU's  mixing engine to mix all streams inside QEMU
697                     and convert audio formats when not supported by the back‐
698                     end.  When off, fixed-settings must be off too. Note that
699                     disabling this option means  that  the  selected  backend
700                     must  support multiple streams and the audio formats used
701                     by the virtual cards, otherwise you'll get no sound. It's
702                     not recommended to disable this option unless you want to
703                     use 5.1 or 7.1 audio, as mixing engine only supports mono
704                     and stereo audio. Default is on.
705
706              in|out.fixed-settings=on|off
707                     Use  fixed  settings  for  host  audio. When off, it will
708                     change based on how the guest opens the  sound  card.  In
709                     this  case  you  must  not specify frequency, channels or
710                     format. Default is on.
711
712              in|out.frequency=frequency
713                     Specify the frequency to use when  using  fixed-settings.
714                     Default is 44100Hz.
715
716              in|out.channels=channels
717                     Specify   the  number  of  channels  to  use  when  using
718                     fixed-settings.  Default is 2 (stereo).
719
720              in|out.format=format
721                     Specify the sample format to use  when  using  fixed-set‐
722                     tings.   Valid  values  are:  s8, s16, s32, u8, u16, u32,
723                     f32. Default is s16.
724
725              in|out.voices=voices
726                     Specify the number of voices to use. Default is 1.
727
728              in|out.buffer-length=usecs
729                     Sets the size of the buffer in microseconds.
730
731       -audiodev none,id=id[,prop[=value][,...]]
732              Creates a dummy backend that discards all outputs. This  backend
733              has no backend specific properties.
734
735       -audiodev alsa,id=id[,prop[=value][,...]]
736              Creates  backend  using the ALSA. This backend is only available
737              on Linux.
738
739              ALSA specific options are:
740
741              in|out.dev=device
742                     Specify the ALSA device to use for input  and/or  output.
743                     Default is default.
744
745              in|out.period-length=usecs
746                     Sets the period length in microseconds.
747
748              in|out.try-poll=on|off
749                     Attempt to use poll mode with the device. Default is on.
750
751              threshold=threshold
752                     Threshold (in microseconds) when playback starts. Default
753                     is 0.
754
755       -audiodev coreaudio,id=id[,prop[=value][,...]]
756              Creates a backend using Apple's Core Audio. This backend is only
757              available on Mac OS and only supports playback.
758
759              Core Audio specific options are:
760
761              in|out.buffer-count=count
762                     Sets the count of the buffers.
763
764       -audiodev dsound,id=id[,prop[=value][,...]]
765              Creates a backend using Microsoft's DirectSound. This backend is
766              only available on Windows and only supports playback.
767
768              DirectSound specific options are:
769
770              latency=usecs
771                     Add extra usecs microseconds latency to playback. Default
772                     is 10000 (10 ms).
773
774       -audiodev oss,id=id[,prop[=value][,...]]
775              Creates  a  backend using OSS. This backend is available on most
776              Unix-like systems.
777
778              OSS specific options are:
779
780              in|out.dev=device
781                     Specify the file name of the OSS device to  use.  Default
782                     is /dev/dsp.
783
784              in|out.buffer-count=count
785                     Sets the count of the buffers.
786
787              in|out.try-poll=on|of
788                     Attempt to use poll mode with the device. Default is on.
789
790              try-mmap=on|off
791                     Try using memory mapped device access. Default is off.
792
793              exclusive=on|off
794                     Open  the  device  in  exclusive mode (vmix won't work in
795                     this case). Default is off.
796
797              dsp-policy=policy
798                     Sets the timing policy (between 0 and 10,  where  smaller
799                     number  means  smaller latency but higher CPU usage). Use
800                     -1 to use buffer  sizes  specified  by  buffer  and  buf‐
801                     fer-count.  This option is ignored if you do not have OSS
802                     4. Default is 5.
803
804       -audiodev pa,id=id[,prop[=value][,...]]
805              Creates a backend using PulseAudio. This backend is available on
806              most systems.
807
808              PulseAudio specific options are:
809
810              server=server
811                     Sets the PulseAudio server to connect to.
812
813              in|out.name=sink
814                     Use the specified source/sink for recording/playback.
815
816              in|out.latency=usecs
817                     Desired  latency  in  microseconds. The PulseAudio server
818                     will try to honor this value but actual latencies may  be
819                     lower or higher.
820
821       -audiodev pipewire,id=id[,prop[=value][,...]]
822              Creates  a  backend using PipeWire. This backend is available on
823              most systems.
824
825              PipeWire specific options are:
826
827              in|out.latency=usecs
828                     Desired latency in microseconds.
829
830              in|out.name=sink
831                     Use the specified source/sink for recording/playback.
832
833              in|out.stream-name
834                     Specify the name of pipewire stream.
835
836       -audiodev sdl,id=id[,prop[=value][,...]]
837              Creates a backend using SDL. This backend is available  on  most
838              systems,  but  you  should use your platform's native backend if
839              possible.
840
841              SDL specific options are:
842
843              in|out.buffer-count=count
844                     Sets the count of the buffers.
845
846       -audiodev sndio,id=id[,prop[=value][,...]]
847              Creates a backend using SNDIO.  This  backend  is  available  on
848              OpenBSD and most other Unix-like systems.
849
850              Sndio specific options are:
851
852              in|out.dev=device
853                     Specify  the sndio device to use for input and/or output.
854                     Default is default.
855
856              in|out.latency=usecs
857                     Sets the desired period length in microseconds.
858
859       -audiodev spice,id=id[,prop[=value][,...]]
860              Creates a backend that sends audio through SPICE.  This  backend
861              requires -spice and automatically selected in that case, so usu‐
862              ally you can ignore this option. This  backend  has  no  backend
863              specific properties.
864
865       -audiodev wav,id=id[,prop[=value][,...]]
866              Creates a backend that writes audio to a WAV file.
867
868              Backend specific options are:
869
870              path=path
871                     Write  recorded audio into the specified file. Default is
872                     qemu.wav.
873
874       -device driver[,prop[=value][,...]]
875              Add device driver.  prop=value  sets  driver  properties.  Valid
876              properties depend on the driver. To get help on possible drivers
877              and properties, use -device help and -device driver,help.
878
879              Some drivers are:
880
881       -device ipmi-bmc-sim,id=id[,prop[=value][,...]]
882              Add an IPMI BMC. This is a simulation of a  hardware  management
883              interface  processor that normally sits on a system. It provides
884              a watchdog and the ability to reset and power control  the  sys‐
885              tem.  You  need  to connect this to an IPMI interface to make it
886              useful
887
888              The IPMI slave address to use for the BMC. The default is  0x20.
889              This  address is the BMC's address on the I2C network of manage‐
890              ment controllers. If you don't know what this means, it is  safe
891              to ignore it.
892
893              id=id  The BMC id for interfaces to use this device.
894
895              slave_addr=val
896                     Define  slave  address to use for the BMC. The default is
897                     0x20.
898
899              sdrfile=file
900                     file containing raw Sensor Data Records (SDR)  data.  The
901                     default is none.
902
903              fruareasize=val
904                     size  of a Field Replaceable Unit (FRU) area. The default
905                     is 1024.
906
907              frudatafile=file
908                     file containing raw Field Replaceable Unit  (FRU)  inven‐
909                     tory data.  The default is none.
910
911              guid=uuid
912                     value  for the GUID for the BMC, in standard UUID format.
913                     If this is set, get "Get GUID" command to  the  BMC  will
914                     return it.  Otherwise "Get GUID" will return an error.
915
916       -device ipmi-bmc-extern,id=id,chardev=id[,slave_addr=val]
917              Add  a  connection to an external IPMI BMC simulator. Instead of
918              locally emulating the BMC like the above item,  instead  connect
919              to an external entity that provides the IPMI services.
920
921              A  connection  is  made  to an external BMC simulator. If you do
922              this, it is strongly recommended that you use  the  "reconnect="
923              chardev  option  to reconnect to the simulator if the connection
924              is lost. Note that if this is not used carefully, it  can  be  a
925              security issue, as the interface has the ability to send resets,
926              NMIs, and power off the VM. It's best if QEMU makes a connection
927              to  an external simulator running on a secure port on localhost,
928              so neither the simulator nor QEMU is exposed to any outside net‐
929              work.
930
931              See  the  "lanserv/README.vm"  file  in the OpenIPMI library for
932              more details on the external interface.
933
934       -device isa-ipmi-kcs,bmc=id[,ioport=val][,irq=val]
935              Add a KCS IPMI interface on the ISA bus. This also adds a corre‐
936              sponding ACPI and SMBIOS entries, if appropriate.
937
938              bmc=id The   BMC   to   connect   to,  one  of  ipmi-bmc-sim  or
939                     ipmi-bmc-extern above.
940
941              ioport=val
942                     Define the I/O address of the interface. The  default  is
943                     0xca0 for KCS.
944
945              irq=val
946                     Define the interrupt to use. The default is 5. To disable
947                     interrupts, set this to 0.
948
949       -device isa-ipmi-bt,bmc=id[,ioport=val][,irq=val]
950              Like the KCS interface, but defines a BT interface. The  default
951              port is 0xe4 and the default interrupt is 5.
952
953       -device pci-ipmi-kcs,bmc=id
954              Add a KCS IPMI interface on the PCI bus.
955
956              bmc=id The   BMC   to   connect   to,  one  of  ipmi-bmc-sim  or
957                     ipmi-bmc-extern above.
958
959       -device pci-ipmi-bt,bmc=id
960              Like the KCS interface, but defines a BT interface  on  the  PCI
961              bus.
962
963       -device intel-iommu[,option=...]
964              This  is only supported by -machine q35, which will enable Intel
965              VT-d emulation within the guest.  It supports below options:
966
967              intremap=on|off (default: auto)
968                     This enables interrupt remapping feature.  It's  required
969                     to  enable  complete  x2apic.  Currently it only supports
970                     kvm kernel-irqchip modes off or split,  while  full  ker‐
971                     nel-irqchip  is  not yet supported.  The default value is
972                     "auto", which  will  be  decided  by  the  mode  of  ker‐
973                     nel-irqchip.
974
975              caching-mode=on|off (default: off)
976                     This  enables  caching mode for the VT-d emulated device.
977                     When caching-mode is enabled, each guest DMA buffer  map‐
978                     ping  will  generate an IOTLB invalidation from the guest
979                     IOMMU driver to the vIOMMU device in a  synchronous  way.
980                     It is required for -device vfio-pci to work with the VT-d
981                     device, because host assigned devices requires  to  setup
982                     the DMA mapping on the host before guest DMA starts.
983
984              device-iotlb=on|off (default: off)
985                     This  enables  device-iotlb  capability  for the emulated
986                     VT-d device.  So far virtio/vhost should be the only real
987                     user  for  this  parameter, paired with ats=on configured
988                     for the device.
989
990              aw-bits=39|48 (default: 39)
991                     This decides the address width  of  IOVA  address  space.
992                     The  address  space  has  39 bits width for 3-level IOMMU
993                     page tables, and 48 bits for 4-level IOMMU page tables.
994
995              Please also refer to the wiki page for general scenarios of VT-d
996              emulation in QEMU: https://wiki.qemu.org/Features/VT-d.
997
998       -name name
999              Sets  the  name of the guest. This name will be displayed in the
1000              SDL window caption. The name will  also  be  used  for  the  VNC
1001              server.  Also  optionally  set  the  top visible process name in
1002              Linux. Naming of individual threads can also be enabled on Linux
1003              to aid debugging.
1004
1005       -uuid uuid
1006              Set system UUID.
1007
1008   Block device options
1009       The  QEMU  block  device  handling options have a long history and have
1010       gone through several iterations as the feature set  and  complexity  of
1011       the  block layer have grown. Many online guides to QEMU often reference
1012       older and deprecated options, which can lead to confusion.
1013
1014       The most explicit way to describe disks is to use a combination of -de‐
1015       vice to specify the hardware device and -blockdev to describe the back‐
1016       end. The device defines what the guest sees and the  backend  describes
1017       how  QEMU  handles the data. It is the only guaranteed stable interface
1018       for describing block devices and as such is recommended for  management
1019       tools and scripting.
1020
1021       The -drive option combines the device and backend into a single command
1022       line option which is a more human friendly. There is however no  inter‐
1023       face  stability  guarantee  although some older board models still need
1024       updating to work with the modern blockdev forms.
1025
1026       Older options like -hda are essentially macros which expand into -drive
1027       options  for various drive interfaces. The original forms bake in a lot
1028       of assumptions from the days when QEMU was emulating a legacy PC,  they
1029       are not recommended for modern configurations.
1030
1031       -fda file
1032
1033
1034       -fdb file
1035              Use  file  as floppy disk 0/1 image (see the Disk Images chapter
1036              in the System Emulation Users Guide).
1037
1038       -hda file
1039
1040
1041       -hdb file
1042
1043
1044       -hdc file
1045
1046
1047       -hdd file
1048              Use file as hard disk 0, 1, 2 or 3 image on the default  bus  of
1049              the  emulated  machine  (this is for example the IDE bus on most
1050              x86 machines, but it can also be SCSI, virtio or something  else
1051              on other target architectures). See also the Disk Images chapter
1052              in the System Emulation Users Guide.
1053
1054       -cdrom file
1055              Use file as CD-ROM image on the default bus of the emulated  ma‐
1056              chine  (which  is IDE1 master on x86, so you cannot use -hdc and
1057              -cdrom at the same time there). On systems that support it,  you
1058              can use the host CD-ROM by using /dev/cdrom as filename.
1059
1060       -blockdev option[,option[,option[,...]]]
1061              Define a new block driver node. Some of the options apply to all
1062              block drivers, other options are only accepted  for  a  specific
1063              block  driver.  See  below for a list of generic options and op‐
1064              tions for the most common block drivers.
1065
1066              Options that expect a reference to another node (e.g. file)  can
1067              be given in two ways. Either you specify the node name of an al‐
1068              ready existing node (file=node-name), or you define a  new  node
1069              inline,  adding  options  for  the  referenced  node after a dot
1070              (file.filename=path,file.aio=native).
1071
1072              A block driver node created with -blockdev can  be  used  for  a
1073              guest  device by specifying its node name for the drive property
1074              in a -device argument that defines a block device.
1075
1076              Valid options for any block driver node:
1077
1078                     driver Specifies the block driver to use  for  the  given
1079                            node.
1080
1081                     node-name
1082                            This  defines the name of the block driver node by
1083                            which it will be referenced later. The  name  must
1084                            be  unique,  i.e.  it must not match the name of a
1085                            different block driver node, or (if you use -drive
1086                            as well) the ID of a drive.
1087
1088                            If  no node name is specified, it is automatically
1089                            generated.  The generated node  name  is  not  in‐
1090                            tended  to be predictable and changes between QEMU
1091                            invocations. For the top level, an  explicit  node
1092                            name must be specified.
1093
1094                     read-only
1095                            Open the node read-only. Guest write attempts will
1096                            fail.
1097
1098                            Note  that  some  block   drivers   support   only
1099                            read-only  access,  either generally or in certain
1100                            configurations. In this case,  the  default  value
1101                            read-only=off does not work and the option must be
1102                            specified explicitly.
1103
1104                     auto-read-only
1105                            If auto-read-only=on is set, QEMU may fall back to
1106                            read-only  usage  even  when  read-only=off is re‐
1107                            quested, or even switch between modes  as  needed,
1108                            e.g.  depending  on  whether  the  image  file  is
1109                            writable or whether a writing user is attached  to
1110                            the node.
1111
1112                     force-share
1113                            Override the image locking system of QEMU by forc‐
1114                            ing the node to utilize weaker shared  access  for
1115                            permissions where it would normally request exclu‐
1116                            sive access. When there is the potential for  mul‐
1117                            tiple   instances  to  have  the  same  file  open
1118                            (whether this invocation of QEMU is the  first  or
1119                            the  second  instance), both instances must permit
1120                            shared access for the second instance  to  succeed
1121                            at opening the file.
1122
1123                            Enabling force-share=on requires read-only=on.
1124
1125                     cache.direct
1126                            The  host page cache can be avoided with cache.di‐
1127                            rect=on.  This will attempt to do disk IO directly
1128                            to  the  guest's memory. QEMU may still perform an
1129                            internal copy of the data.
1130
1131                     cache.no-flush
1132                            In case you don't care about data  integrity  over
1133                            host failures, you can use cache.no-flush=on. This
1134                            option tells QEMU that it never needs to write any
1135                            data  to  the  disk but can instead keep things in
1136                            cache. If anything goes wrong, like your host los‐
1137                            ing  power,  the disk storage getting disconnected
1138                            accidentally, etc. your image will  most  probably
1139                            be rendered unusable.
1140
1141                     discard=discard
1142                            discard  is  one of "ignore" (or "off") or "unmap"
1143                            (or "on") and controls whether discard (also known
1144                            as  trim  or unmap) requests are ignored or passed
1145                            to the filesystem.  Some  machine  types  may  not
1146                            support discard requests.
1147
1148                     detect-zeroes=detect-zeroes
1149                            detect-zeroes  is  "off",  "on" or "unmap" and en‐
1150                            ables  the  automatic  conversion  of  plain  zero
1151                            writes by the OS to driver specific optimized zero
1152                            write commands. You may  even  choose  "unmap"  if
1153                            discard is set to "unmap" to allow a zero write to
1154                            be converted to an unmap operation.
1155
1156              Driver-specific options for file
1157                     This is the protocol-level  block  driver  for  accessing
1158                     regular files.
1159
1160                     filename
1161                            The path to the image file in the local filesystem
1162
1163                     aio    Specifies  the  AIO backend (threads/native/io_ur‐
1164                            ing, default: threads)
1165
1166                     locking
1167                            Specifies whether the image file is protected with
1168                            Linux OFD / POSIX locks. The default is to use the
1169                            Linux Open File Descriptor API if available,  oth‐
1170                            erwise no lock is applied.  (auto/on/off, default:
1171                            auto)
1172
1173                     Example:
1174
1175                        -blockdev driver=file,node-name=disk,filename=disk.img
1176
1177              Driver-specific options for raw
1178                     This is the image format block driver for raw images.  It
1179                     is  usually  stacked  on  top  of  a protocol level block
1180                     driver such as file.
1181
1182                     file   Reference to or  definition  of  the  data  source
1183                            block driver node (e.g. a file driver node)
1184
1185                     Example 1:
1186
1187                        -blockdev driver=file,node-name=disk_file,filename=disk.img
1188                        -blockdev driver=raw,node-name=disk,file=disk_file
1189
1190                     Example 2:
1191
1192                        -blockdev driver=raw,node-name=disk,file.driver=file,file.filename=disk.img
1193
1194              Driver-specific options for qcow2
1195                     This  is  the image format block driver for qcow2 images.
1196                     It is usually stacked on top of a  protocol  level  block
1197                     driver such as file.
1198
1199                     file   Reference  to  or  definition  of  the data source
1200                            block driver node (e.g. a file driver node)
1201
1202                     backing
1203                            Reference to or definition  of  the  backing  file
1204                            block  device  (default  is  taken  from the image
1205                            file). It is allowed to pass null here in order to
1206                            disable the default backing file.
1207
1208                     lazy-refcounts
1209                            Whether  to  enable  the  lazy  refcounts  feature
1210                            (on/off; default is taken from the image file)
1211
1212                     cache-size
1213                            The maximum total size of the L2  table  and  ref‐
1214                            count  block  caches in bytes (default: the sum of
1215                            l2-cache-size and refcount-cache-size)
1216
1217                     l2-cache-size
1218                            The maximum size of the L2 table  cache  in  bytes
1219                            (default:  if cache-size is not specified - 32M on
1220                            Linux platforms, and 8M  on  non-Linux  platforms;
1221                            otherwise,   as   large  as  possible  within  the
1222                            cache-size, while permitting the requested or  the
1223                            minimal refcount cache size)
1224
1225                     refcount-cache-size
1226                            The  maximum  size  of the refcount block cache in
1227                            bytes (default: 4 times the cluster  size;  or  if
1228                            cache-size  is  specified, the part of it which is
1229                            not used for the L2 cache)
1230
1231                     cache-clean-interval
1232                            Clean  unused  entries  in  the  L2  and  refcount
1233                            caches.  The  interval  is in seconds. The default
1234                            value is 600 on supporting  platforms,  and  0  on
1235                            other  platforms.  Setting  it  to 0 disables this
1236                            feature.
1237
1238                     pass-discard-request
1239                            Whether  discard  requests  to  the  qcow2  device
1240                            should  be  forwarded  to the data source (on/off;
1241                            default: on if  discard=unmap  is  specified,  off
1242                            otherwise)
1243
1244                     pass-discard-snapshot
1245                            Whether  discard  requests  for  the  data  source
1246                            should be issued when a snapshot  operation  (e.g.
1247                            deleting  a  snapshot) frees clusters in the qcow2
1248                            file (on/off; default: on)
1249
1250                     pass-discard-other
1251                            Whether  discard  requests  for  the  data  source
1252                            should  be issued on other occasions where a clus‐
1253                            ter gets freed (on/off; default: off)
1254
1255                     discard-no-unref
1256                            When enabled, data clusters will  remain  preallo‐
1257                            cated  when  they are no longer used, e.g. because
1258                            they are discarded or converted to zero  clusters.
1259                            As  usual,  whether  the  old data is discarded or
1260                            kept on the protocol  level  (i.e.  in  the  image
1261                            file)  depends  on  the  setting  of the pass-dis‐
1262                            card-request option. Keeping the clusters preallo‐
1263                            cated prevents qcow2 fragmentation that would oth‐
1264                            erwise be caused by freeing and re-allocating them
1265                            later.  Besides potential performance degradation,
1266                            such fragmentation can lead to  increased  alloca‐
1267                            tion  of  clusters past the end of the image file,
1268                            resulting in image files  whose  file  length  can
1269                            grow  much larger than their guest disk size would
1270                            suggest.  If image file length is of concern (e.g.
1271                            when  storing  qcow2  images directly on block de‐
1272                            vices), you should consider enabling this option.
1273
1274                     overlap-check
1275                            Which overlap checks to perform for writes to  the
1276                            image (none/constant/cached/all; default: cached).
1277                            For details or finer granularity control refer  to
1278                            the QAPI documentation of blockdev-add.
1279
1280                     Example 1:
1281
1282                        -blockdev driver=file,node-name=my_file,filename=/tmp/disk.qcow2
1283                        -blockdev driver=qcow2,node-name=hda,file=my_file,overlap-check=none,cache-size=16777216
1284
1285                     Example 2:
1286
1287                        -blockdev driver=qcow2,node-name=disk,file.driver=http,file.filename=http://example.com/image.qcow2
1288
1289              Driver-specific options for other drivers
1290                     Please  refer  to  the  QAPI  documentation of the block‐
1291                     dev-add QMP command.
1292
1293       -drive option[,option[,option[,...]]]
1294              Define a new drive. This includes creating a block  driver  node
1295              (the  backend) as well as a guest device, and is mostly a short‐
1296              cut for defining the corresponding  -blockdev  and  -device  op‐
1297              tions.
1298
1299              -drive  accepts  all options that are accepted by -blockdev.  In
1300              addition, it knows the following options:
1301
1302              file=file
1303                     This option defines which disk image (see the Disk Images
1304                     chapter  in the System Emulation Users Guide) to use with
1305                     this drive.  If the filename  contains  comma,  you  must
1306                     double  it  (for  instance,  "file=my,,file"  to use file
1307                     "my,file").
1308
1309                     Special files such as iSCSI devices can be specified  us‐
1310                     ing  protocol  specific URLs. See the section for "Device
1311                     URL Syntax" for more information.
1312
1313              if=interface
1314                     This option defines on which type on interface the  drive
1315                     is  connected.  Available  types are: ide, scsi, sd, mtd,
1316                     floppy, pflash, virtio, none.
1317
1318              bus=bus,unit=unit
1319                     These options define where  is  connected  the  drive  by
1320                     defining the bus number and the unit id.
1321
1322              index=index
1323                     This option defines where the drive is connected by using
1324                     an index in the list of available connectors of  a  given
1325                     interface type.
1326
1327              media=media
1328                     This option defines the type of the media: disk or cdrom.
1329
1330              snapshot=snapshot
1331                     snapshot  is "on" or "off" and controls snapshot mode for
1332                     the given drive (see -snapshot).
1333
1334              cache=cache
1335                     cache is "none", "writeback", "unsafe",  "directsync"  or
1336                     "writethrough" and controls how the host cache is used to
1337                     access block data. This  is  a  shortcut  that  sets  the
1338                     cache.direct  and  cache.no-flush  options (as in -block‐
1339                     dev), and additionally cache.writeback, which provides  a
1340                     default for the write-cache option of block guest devices
1341                     (as in -device). The modes correspond  to  the  following
1342                     settings:
1343
1344                  ┌─────────────┬─────────────────┬──────────────┬────────────────┐
1345                  │             │ cache.writeback │ cache.direct │ cache.no-flush │
1346                  ├─────────────┼─────────────────┼──────────────┼────────────────┤
1347                  │writeback    │ on              │ off          │ off            │
1348                  ├─────────────┼─────────────────┼──────────────┼────────────────┤
1349                  │none         │ on              │ on           │ off            │
1350                  ├─────────────┼─────────────────┼──────────────┼────────────────┤
1351                  │writethrough │ off             │ off          │ off            │
1352                  ├─────────────┼─────────────────┼──────────────┼────────────────┤
1353                  │directsync   │ off             │ on           │ off            │
1354                  ├─────────────┼─────────────────┼──────────────┼────────────────┤
1355                  │unsafe       │ on              │ off          │ on             │
1356                  └─────────────┴─────────────────┴──────────────┴────────────────┘
1357
1358                     The default mode is cache=writeback.
1359
1360              aio=aio
1361                     aio is "threads", "native", or "io_uring" and selects be‐
1362                     tween pthread based disk I/O, native Linux AIO, or  Linux
1363                     io_uring API.
1364
1365              format=format
1366                     Specify  which  disk  format will be used rather than de‐
1367                     tecting the format. Can be used to specify format=raw  to
1368                     avoid interpreting an untrusted format header.
1369
1370              werror=action,rerror=action
1371                     Specify  which  action  to take on write and read errors.
1372                     Valid actions are: "ignore" (ignore the error and try  to
1373                     continue),  "stop" (pause QEMU), "report" (report the er‐
1374                     ror to the guest), "enospc" (pause QEMU only if the  host
1375                     disk  is  full; report the error to the guest otherwise).
1376                     The default setting is werror=enospc and rerror=report.
1377
1378              copy-on-read=copy-on-read
1379                     copy-on-read is "on" or "off" and enables whether to copy
1380                     read backing file sectors into the image file.
1381
1382              bps=b,bps_rd=r,bps_wr=w
1383                     Specify  bandwidth throttling limits in bytes per second,
1384                     either for all request types or for reads or writes only.
1385                     Small  values  can  lead  to timeouts or hangs inside the
1386                     guest. A safe minimum for disks is 2 MB/s.
1387
1388              bps_max=bm,bps_rd_max=rm,bps_wr_max=wm
1389                     Specify bursts in bytes per second, either  for  all  re‐
1390                     quest types or for reads or writes only. Bursts allow the
1391                     guest I/O to spike above the limit temporarily.
1392
1393              iops=i,iops_rd=r,iops_wr=w
1394                     Specify request rate limits in requests per  second,  ei‐
1395                     ther for all request types or for reads or writes only.
1396
1397              iops_max=bm,iops_rd_max=rm,iops_wr_max=wm
1398                     Specify bursts in requests per second, either for all re‐
1399                     quest types or for reads or writes only. Bursts allow the
1400                     guest I/O to spike above the limit temporarily.
1401
1402              iops_size=is
1403                     Let  every  is  bytes of a request count as a new request
1404                     for iops throttling purposes. Use this option to  prevent
1405                     guests  from  circumventing  iops limits by sending fewer
1406                     but larger requests.
1407
1408              group=g
1409                     Join a throttling quota group  with  given  name  g.  All
1410                     drives  that  are members of the same group are accounted
1411                     for together. Use this option to prevent guests from cir‐
1412                     cumventing  throttling  limits  by using many small disks
1413                     instead of a single larger disk.
1414
1415              By default, the cache.writeback=on mode is used. It will  report
1416              data  writes  as completed as soon as the data is present in the
1417              host page cache. This is safe as long as  your  guest  OS  makes
1418              sure  to correctly flush disk caches where needed. If your guest
1419              OS does not handle volatile disk write caches correctly and your
1420              host  crashes or loses power, then the guest may experience data
1421              corruption.
1422
1423              For such guests, you should consider using  cache.writeback=off.
1424              This  means  that  the  host page cache will be used to read and
1425              write data, but write notification will be  sent  to  the  guest
1426              only  after  QEMU has made sure to flush each write to the disk.
1427              Be aware that this has a major impact on performance.
1428
1429              When using the -snapshot option, unsafe caching is always used.
1430
1431              Copy-on-read avoids accessing the same backing file sectors  re‐
1432              peatedly and is useful when the backing file is over a slow net‐
1433              work. By default copy-on-read is off.
1434
1435              Instead of -cdrom you can use:
1436
1437                 qemu-system-x86_64 -drive file=file,index=2,media=cdrom
1438
1439              Instead of -hda, -hdb, -hdc, -hdd, you can use:
1440
1441                 qemu-system-x86_64 -drive file=file,index=0,media=disk
1442                 qemu-system-x86_64 -drive file=file,index=1,media=disk
1443                 qemu-system-x86_64 -drive file=file,index=2,media=disk
1444                 qemu-system-x86_64 -drive file=file,index=3,media=disk
1445
1446              You can open an image using pre-opened file descriptors from  an
1447              fd set:
1448
1449                 qemu-system-x86_64 \
1450                  -add-fd fd=3,set=2,opaque="rdwr:/path/to/file" \
1451                  -add-fd fd=4,set=2,opaque="rdonly:/path/to/file" \
1452                  -drive file=/dev/fdset/2,index=0,media=disk
1453
1454              You can connect a CDROM to the slave of ide0:
1455
1456                 qemu-system-x86_64 -drive file=file,if=ide,index=1,media=cdrom
1457
1458              If  you  don't specify the "file=" argument, you define an empty
1459              drive:
1460
1461                 qemu-system-x86_64 -drive if=ide,index=1,media=cdrom
1462
1463              Instead of -fda, -fdb, you can use:
1464
1465                 qemu-system-x86_64 -drive file=file,index=0,if=floppy
1466                 qemu-system-x86_64 -drive file=file,index=1,if=floppy
1467
1468              By default, interface is "ide" and index is automatically incre‐
1469              mented:
1470
1471                 qemu-system-x86_64 -drive file=a -drive file=b
1472
1473              is interpreted like:
1474
1475                 qemu-system-x86_64 -hda a -hdb b
1476
1477       -mtdblock file
1478              Use file as on-board Flash memory image.
1479
1480       -sd file
1481              Use file as SecureDigital card image.
1482
1483       -snapshot
1484              Write  to  temporary  files instead of disk image files. In this
1485              case, the raw disk image you use is not written  back.  You  can
1486              however force the write back by pressing C-a s (see the Disk Im‐
1487              ages chapter in the System Emulation Users Guide).
1488
1489              WARNING:
1490                 snapshot is incompatible with -blockdev (instead use qemu-img
1491                 to  manually  create snapshot images to attach to your block‐
1492                 dev).  If you have mixed -blockdev  and  -drive  declarations
1493                 you  can  use  the 'snapshot' property on your drive declara‐
1494                 tions instead of this global option.
1495
1496       -fsdev   local,id=id,path=path,security_model=security_model   [,write‐
1497       out=writeout][,readonly=on][,fmode=fmode][,dmode=dmode]        [,throt‐
1498       tling.option=value[,throttling.option=value[,...]]]
1499
1500
1501       -fsdev proxy,id=id,socket=socket[,writeout=writeout][,readonly=on]
1502
1503
1504       -fsdev proxy,id=id,sock_fd=sock_fd[,writeout=writeout][,readonly=on]
1505
1506
1507       -fsdev synth,id=id[,readonly=on]
1508              Define a new file system device. Valid options are:
1509
1510              local  Accesses to the filesystem are done by QEMU.
1511
1512              proxy  Accesses    to    the    filesystem    are    done     by
1513                     virtfs-proxy-helper(1).  This option is deprecated (since
1514                     QEMU 8.1) and will be removed  in  a  future  version  of
1515                     QEMU. Use local instead.
1516
1517              synth  Synthetic filesystem, only used by QTests.
1518
1519              id=id  Specifies identifier for this device.
1520
1521              path=path
1522                     Specifies  the  export  path  for the file system device.
1523                     Files under this path will be available to the 9p  client
1524                     on the guest.
1525
1526              security_model=security_model
1527                     Specifies  the  security model to be used for this export
1528                     path.   Supported  security  models  are   "passthrough",
1529                     "mapped-xattr",     "mapped-file"    and    "none".    In
1530                     "passthrough" security model, files are stored using  the
1531                     same  credentials  as they are created on the guest. This
1532                     requires QEMU to run as root. In "mapped-xattr"  security
1533                     model,  some  of  the file attributes like uid, gid, mode
1534                     bits and link target are stored as file  attributes.  For
1535                     "mapped-file"  these  attributes are stored in the hidden
1536                     .virtfs_metadata directory. Directories exported by  this
1537                     security  model  cannot  interact  with other unix tools.
1538                     "none" security model is same as passthrough  except  the
1539                     sever  won't  report failures if it fails to set file at‐
1540                     tributes like ownership. Security model is mandatory only
1541                     for  local  fsdriver.  Other fsdrivers (like proxy) don't
1542                     take security model as a parameter.
1543
1544              writeout=writeout
1545                     This is an optional argument. The only supported value is
1546                     "immediate". This means that host page cache will be used
1547                     to read and write data but  write  notification  will  be
1548                     sent to the guest only when the data has been reported as
1549                     written by the storage subsystem.
1550
1551              readonly=on
1552                     Enables exporting  9p  share  as  a  readonly  mount  for
1553                     guests. By default read-write access is given.
1554
1555              socket=socket
1556                     Enables proxy filesystem driver to use passed socket file
1557                     for communicating with virtfs-proxy-helper(1).
1558
1559              sock_fd=sock_fd
1560                     Enables proxy filesystem driver to use passed socket  de‐
1561                     scriptor  for  communicating with virtfs-proxy-helper(1).
1562                     Usually a helper like libvirt will create socketpair  and
1563                     pass one of the fds as sock_fd.
1564
1565              fmode=fmode
1566                     Specifies the default mode for newly created files on the
1567                     host.  Works only with security models "mapped-xattr" and
1568                     "mapped-file".
1569
1570              dmode=dmode
1571                     Specifies  the default mode for newly created directories
1572                     on  the   host.   Works   only   with   security   models
1573                     "mapped-xattr" and "mapped-file".
1574
1575              throttling.bps-total=b,throttling.bps-read=r,throt‐
1576              tling.bps-write=w
1577                     Specify bandwidth throttling limits in bytes per  second,
1578                     either for all request types or for reads or writes only.
1579
1580              throttling.bps-total-max=bm,bps-read-max=rm,bps-write-max=wm
1581                     Specify  bursts  in  bytes per second, either for all re‐
1582                     quest types or for reads or writes only. Bursts allow the
1583                     guest I/O to spike above the limit temporarily.
1584
1585              throttling.iops-total=i,throttling.iops-read=r,           throt‐
1586              tling.iops-write=w
1587                     Specify request rate limits in requests per  second,  ei‐
1588                     ther for all request types or for reads or writes only.
1589
1590              throttling.iops-total-max=im,throttling.iops-read-max=irm,
1591              throttling.iops-write-max=iwm
1592                     Specify bursts in requests per second, either for all re‐
1593                     quest types or for reads or writes only. Bursts allow the
1594                     guest I/O to spike above the limit temporarily.
1595
1596              throttling.iops-size=is
1597                     Let every is bytes of a request count as  a  new  request
1598                     for iops throttling purposes.
1599
1600              -fsdev option is used along with -device driver "virtio-9p-...".
1601
1602       -device virtio-9p-type,fsdev=id,mount_tag=mount_tag
1603              Options for virtio-9p-... driver are:
1604
1605              type   Specifies  the  variant  to be used. Supported values are
1606                     "pci", "ccw" or "device", depending on the machine type.
1607
1608              fsdev=id
1609                     Specifies the id value specified along  with  -fsdev  op‐
1610                     tion.
1611
1612              mount_tag=mount_tag
1613                     Specifies  the  tag name to be used by the guest to mount
1614                     this export point.
1615
1616       -virtfs    local,path=path,mount_tag=mount_tag    ,security_model=secu‐
1617       rity_model[,writeout=writeout][,readonly=on]
1618       [,fmode=fmode][,dmode=dmode][,multidevs=multidevs]
1619
1620
1621       -virtfs    proxy,socket=socket,mount_tag=mount_tag    [,writeout=write‐
1622       out][,readonly=on]
1623
1624
1625       -virtfs   proxy,sock_fd=sock_fd,mount_tag=mount_tag   [,writeout=write‐
1626       out][,readonly=on]
1627
1628
1629       -virtfs synth,mount_tag=mount_tag
1630              Define a new virtual filesystem device  and  expose  it  to  the
1631              guest  using a virtio-9p-device (a.k.a. 9pfs), which essentially
1632              means that a certain directory on host is made directly accessi‐
1633              ble  by guest as a pass-through file system by using the 9P net‐
1634              work protocol for communication between host and guests, if  de‐
1635              sired even accessible, shared by several guests simultaneously.
1636
1637              Note  that  -virtfs  is actually just a convenience shortcut for
1638              its generalized form -fsdev -device virtio-9p-pci.
1639
1640              The general form of pass-through file system options are:
1641
1642              local  Accesses to the filesystem are done by QEMU.
1643
1644              proxy  Accesses    to    the    filesystem    are    done     by
1645                     virtfs-proxy-helper(1).  This option is deprecated (since
1646                     QEMU 8.1) and will be removed  in  a  future  version  of
1647                     QEMU. Use local instead.
1648
1649              synth  Synthetic filesystem, only used by QTests.
1650
1651              id=id  Specifies identifier for the filesystem device
1652
1653              path=path
1654                     Specifies  the  export  path  for the file system device.
1655                     Files under this path will be available to the 9p  client
1656                     on the guest.
1657
1658              security_model=security_model
1659                     Specifies  the  security model to be used for this export
1660                     path.   Supported  security  models  are   "passthrough",
1661                     "mapped-xattr",     "mapped-file"    and    "none".    In
1662                     "passthrough" security model, files are stored using  the
1663                     same  credentials  as they are created on the guest. This
1664                     requires QEMU to run as root. In "mapped-xattr"  security
1665                     model,  some  of  the file attributes like uid, gid, mode
1666                     bits and link target are stored as file  attributes.  For
1667                     "mapped-file"  these  attributes are stored in the hidden
1668                     .virtfs_metadata directory. Directories exported by  this
1669                     security  model  cannot  interact  with other unix tools.
1670                     "none" security model is same as passthrough  except  the
1671                     sever  won't  report failures if it fails to set file at‐
1672                     tributes like ownership. Security model is mandatory only
1673                     for  local  fsdriver.  Other fsdrivers (like proxy) don't
1674                     take security model as a parameter.
1675
1676              writeout=writeout
1677                     This is an optional argument. The only supported value is
1678                     "immediate". This means that host page cache will be used
1679                     to read and write data but  write  notification  will  be
1680                     sent to the guest only when the data has been reported as
1681                     written by the storage subsystem.
1682
1683              readonly=on
1684                     Enables exporting  9p  share  as  a  readonly  mount  for
1685                     guests. By default read-write access is given.
1686
1687              socket=socket
1688                     Enables proxy filesystem driver to use passed socket file
1689                     for communicating with virtfs-proxy-helper(1). Usually  a
1690                     helper  like  libvirt will create socketpair and pass one
1691                     of the fds as sock_fd.
1692
1693              sock_fd
1694                     Enables proxy filesystem driver to use  passed  'sock_fd'
1695                     as   the   socket   descriptor   for   interfacing   with
1696                     virtfs-proxy-helper(1).
1697
1698              fmode=fmode
1699                     Specifies the default mode for newly created files on the
1700                     host.  Works only with security models "mapped-xattr" and
1701                     "mapped-file".
1702
1703              dmode=dmode
1704                     Specifies the default mode for newly created  directories
1705                     on   the   host.   Works   only   with   security  models
1706                     "mapped-xattr" and "mapped-file".
1707
1708              mount_tag=mount_tag
1709                     Specifies the tag name to be used by the guest  to  mount
1710                     this export point.
1711
1712              multidevs=multidevs
1713                     Specifies  how to deal with multiple devices being shared
1714                     with  a  9p  export.  Supported  behaviours  are   either
1715                     "remap",  "forbid"  or  "warn". The latter is the default
1716                     behaviour on which virtfs 9p expects only one  device  to
1717                     be  shared with the same export, and if more than one de‐
1718                     vice is shared and accessed via the same 9p  export  then
1719                     only  a  warning message is logged (once) by qemu on host
1720                     side. In order to avoid file ID collisions on  guest  you
1721                     should  either  create  a separate virtfs export for each
1722                     device to be shared with guests (recommended way) or  you
1723                     might  use "remap" instead which allows you to share mul‐
1724                     tiple devices with only  one  export  instead,  which  is
1725                     achieved  by  remapping  the  original inode numbers from
1726                     host to guest in a way that  would  prevent  such  colli‐
1727                     sions. Remapping inodes in such use cases is required be‐
1728                     cause the original device IDs from host are never  passed
1729                     and  exposed  on  guest.  Instead  all files of an export
1730                     shared with virtfs always share the  same  device  id  on
1731                     guest. So two files with identical inode numbers but from
1732                     actually different devices on host would otherwise  cause
1733                     a  file ID collision and hence potential misbehaviours on
1734                     guest. "forbid" on the other  hand  assumes  like  "warn"
1735                     that  only  one device is shared by the same export, how‐
1736                     ever it will not only log a warning message but also deny
1737                     access  to  additional devices on guest. Note though that
1738                     "forbid" does currently not block all possible  file  ac‐
1739                     cess  operations  (e.g.  readdir() would still return en‐
1740                     tries from other devices).
1741
1742       -iscsi Configure iSCSI session parameters.
1743
1744   USB convenience options
1745       -usb   Enable USB emulation on machine types with an on-board USB  host
1746              controller  (if  not enabled by default). Note that on-board USB
1747              host controllers may not support USB 3.0. In this  case  -device
1748              qemu-xhci can be used instead on machines with PCI.
1749
1750       -usbdevice devname
1751              Add  the  USB  device  devname,  and enable an on-board USB con‐
1752              troller if possible and necessary (just like it can be done  via
1753              -machine  usb=on).  Note that this option is mainly intended for
1754              the user's convenience only. More fine-grained  control  can  be
1755              achieved  by  selecting a USB host controller (if necessary) and
1756              the desired USB device via the -device option instead. For exam‐
1757              ple,  instead  of  using  -usbdevice mouse it is possible to use
1758              -device qemu-xhci -device usb-mouse to connect the USB mouse  to
1759              a  USB 3.0 controller instead (at least on machines that support
1760              PCI and do not have an USB controller enabled by  default  yet).
1761              For  more  details, see the chapter about Connecting USB devices
1762              in the System Emulation Users Guide.  Possible devices for  dev‐
1763              name are:
1764
1765              braille
1766                     Braille  device.  This  will  use  BrlAPI  to display the
1767                     braille output on a real or fake  device  (i.e.  it  also
1768                     creates a corresponding braille chardev automatically be‐
1769                     side the usb-braille USB device).
1770
1771              keyboard
1772                     Standard USB keyboard. Will override  the  PS/2  keyboard
1773                     (if present).
1774
1775              mouse  Virtual  Mouse.  This will override the PS/2 mouse emula‐
1776                     tion when activated.
1777
1778              tablet Pointer device that uses  absolute  coordinates  (like  a
1779                     touchscreen). This means QEMU is able to report the mouse
1780                     position without having to grab the mouse. Also overrides
1781                     the PS/2 mouse emulation when activated.
1782
1783              wacom-tablet
1784                     Wacom PenPartner USB tablet.
1785
1786   Display options
1787       -display type
1788              Select  type  of  display  to use. Use -display help to list the
1789              available display types. Valid values for type are
1790
1791              spice-app[,gl=on|off]
1792                     Start QEMU as a Spice server and launch the default Spice
1793                     client  application.  The  Spice server will redirect the
1794                     serial consoles and QEMU monitors. (Since 4.0)
1795
1796              dbus   Export the display over D-Bus interfaces. (Since 7.0)
1797
1798                     The connection is registered  with  the  "org.qemu"  name
1799                     (and queued when already owned).
1800
1801                     addr=<dbusaddr> : D-Bus bus address to connect to.
1802
1803                     p2p=yes|no  :  Use  peer-to-peer connection, accepted via
1804                     QMP add_client.
1805
1806                     gl=on|off|core|es : Use OpenGL for rendering  (the  D-Bus
1807                     interface  will  share  framebuffers with DMABUF file de‐
1808                     scriptors).
1809
1810              sdl    Display video output  via  SDL  (usually  in  a  separate
1811                     graphics window; see the SDL documentation for other pos‐
1812                     sibilities).  Valid parameters are:
1813
1814                     grab-mod=<mods> : Used to select the  modifier  keys  for
1815                     toggling  the  mouse grabbing in conjunction with the "g"
1816                     key. <mods> can be either lshift-lctrl-lalt or rctrl.
1817
1818                     gl=on|off|core|es : Use OpenGL for displaying
1819
1820                     show-cursor=on|off :  Force showing the mouse cursor
1821
1822                     window-close=on|off : Allow  to  quit  qemu  with  window
1823                     close button
1824
1825              gtk    Display video output in a GTK window. This interface pro‐
1826                     vides drop-down menus and other UI elements to  configure
1827                     and control the VM during runtime. Valid parameters are:
1828
1829                     full-screen=on|off : Start in fullscreen mode
1830
1831                     gl=on|off : Use OpenGL for displaying
1832
1833                     grab-on-hover=on|off : Grab keyboard input on mouse hover
1834
1835                     show-tabs=on|off
1836                            Display the tab bar for switching between the var‐
1837                            ious graphical interfaces (e.g.  VGA  and  virtual
1838                            console character devices) by default.
1839
1840                     show-cursor=on|off :  Force showing the mouse cursor
1841
1842                     window-close=on|off  :  Allow  to  quit  qemu with window
1843                     close button
1844
1845                     show-menubar=on|off : Display the  main  window  menubar,
1846                     defaults to "on"
1847
1848                     zoom-to-fit=on|off
1849                            Expand  video  output to the window size, defaults
1850                            to "off"
1851
1852              curses[,charset=<encoding>]
1853                     Display video output via curses. For graphics device mod‐
1854                     els which support a text mode, QEMU can display this out‐
1855                     put using a curses/ncurses  interface.  Nothing  is  dis‐
1856                     played  when  the graphics device is in graphical mode or
1857                     if the graphics device does not support a text mode. Gen‐
1858                     erally  only the VGA device models support text mode. The
1859                     font charset used by the guest can be specified with  the
1860                     charset  option,  for example charset=CP850 for IBM CP850
1861                     encoding. The default is CP437.
1862
1863              cocoa  Display video output in a Cocoa window.  Mac  only.  This
1864                     interface  provides drop-down menus and other UI elements
1865                     to configure and control the VM during runtime. Valid pa‐
1866                     rameters are:
1867
1868                     show-cursor=on|off :  Force showing the mouse cursor
1869
1870                     left-command-key=on|off : Disable forwarding left command
1871                     key to host
1872
1873              egl-headless[,rendernode=<file>]
1874                     Offload all OpenGL operations to a local DRI device.  For
1875                     any  graphical  display,  this display needs to be paired
1876                     with either VNC or SPICE displays.
1877
1878              vnc=<display>
1879                     Start a VNC server on display <display>
1880
1881              none   Do not display video output. The guest will still see  an
1882                     emulated  graphics  card, but its output will not be dis‐
1883                     played to the QEMU user. This  option  differs  from  the
1884                     -nographic  option  in  that it only affects what is done
1885                     with video output; -nographic also changes  the  destina‐
1886                     tion of the serial and parallel port data.
1887
1888       -nographic
1889              Normally,  if QEMU is compiled with graphical window support, it
1890              displays output such as guest graphics, guest console,  and  the
1891              QEMU monitor in a window. With this option, you can totally dis‐
1892              able graphical output so that QEMU is a simple command line  ap‐
1893              plication.   The  emulated serial port is redirected on the con‐
1894              sole and muxed with the monitor (unless redirected elsewhere ex‐
1895              plicitly).  Therefore,  you  can still use QEMU to debug a Linux
1896              kernel with a serial console.  Use C-a h for help  on  switching
1897              between the console and monitor.
1898
1899       -spice option[,option[,...]]
1900              Enable the spice remote desktop protocol. Valid options are
1901
1902              port=<nr>
1903                     Set  the  TCP  port  spice  is listening on for plaintext
1904                     channels.
1905
1906              addr=<addr>
1907                     Set the IP address spice is listening on. Default is  any
1908                     address.
1909
1910              ipv4=on|off; ipv6=on|off; unix=on|off
1911                     Force using the specified IP version.
1912
1913              password-secret=<secret-id>
1914                     Set  the  ID of the secret object containing the password
1915                     you need to authenticate.
1916
1917              sasl=on|off
1918                     Require that the client use SASL to authenticate with the
1919                     spice.  The exact choice of authentication method used is
1920                     controlled from the system /  user's  SASL  configuration
1921                     file  for  the 'qemu' service. This is typically found in
1922                     /etc/sasl2/qemu.conf. If running QEMU as an  unprivileged
1923                     user,  an environment variable SASL_CONF_PATH can be used
1924                     to make it search alternate  locations  for  the  service
1925                     config.  While  some  SASL  auth methods can also provide
1926                     data encryption (eg GSSAPI), it is recommended that  SASL
1927                     always  be combined with the 'tls' and 'x509' settings to
1928                     enable use of SSL and server certificates. This ensures a
1929                     data  encryption  preventing compromise of authentication
1930                     credentials.
1931
1932              disable-ticketing=on|off
1933                     Allow client connects without authentication.
1934
1935              disable-copy-paste=on|off
1936                     Disable copy paste between the client and the guest.
1937
1938              disable-agent-file-xfer=on|off
1939                     Disable spice-vdagent based file-xfer between the  client
1940                     and the guest.
1941
1942              tls-port=<nr>
1943                     Set  the  TCP  port  spice  is listening on for encrypted
1944                     channels.
1945
1946              x509-dir=<dir>
1947                     Set the x509 file directory. Expects  same  filenames  as
1948                     -vnc $display,x509=$dir
1949
1950              x509-key-file=<file>;                  x509-key-password=<file>;
1951              x509-cert-file=<file>;                  x509-cacert-file=<file>;
1952              x509-dh-key-file=<file>
1953                     The x509 file names can also be configured individually.
1954
1955              tls-ciphers=<list>
1956                     Specify which ciphers to use.
1957
1958              tls-channel=[main|display|cursor|inputs|record|playback]; plain‐
1959              text-channel=[main|display|cursor|inputs|record|playback]
1960                     Force specific channel to be used with or without TLS en‐
1961                     cryption.  The options can be specified multiple times to
1962                     configure multiple channels. The special  name  "default"
1963                     can  be  used to set the default mode. For channels which
1964                     are not explicitly forced into one mode the spice  client
1965                     is allowed to pick tls/plaintext as he pleases.
1966
1967              image-compression=[auto_glz|auto_lz|quic|glz|lz|off]
1968                     Configure   image   compression  (lossless).  Default  is
1969                     auto_glz.
1970
1971              jpeg-wan-compression=[auto|never|always];  zlib-glz-wan-compres‐
1972              sion=[auto|never|always]
1973                     Configure  wan  image compression (lossy for slow links).
1974                     Default is auto.
1975
1976              streaming-video=[off|all|filter]
1977                     Configure video stream detection. Default is off.
1978
1979              agent-mouse=[on|off]
1980                     Enable/disable passing mouse events via vdagent.  Default
1981                     is on.
1982
1983              playback-compression=[on|off]
1984                     Enable/disable   audio  stream  compression  (using  celt
1985                     0.5.1).  Default is on.
1986
1987              seamless-migration=[on|off]
1988                     Enable/disable spice seamless migration. Default is off.
1989
1990              gl=[on|off]
1991                     Enable/disable OpenGL context. Default is off.
1992
1993              rendernode=<file>
1994                     DRM render node for OpenGL rendering. If  not  specified,
1995                     it will pick the first available. (Since 2.9)
1996
1997       -portrait
1998              Rotate graphical output 90 deg left (only PXA LCD).
1999
2000       -rotate deg
2001              Rotate graphical output some deg left (only PXA LCD).
2002
2003       -vga type
2004              Select type of VGA card to emulate. Valid values for type are
2005
2006              cirrus Cirrus  Logic  GD5446  Video  card.  All Windows versions
2007                     starting from Windows 95 should recognize  and  use  this
2008                     graphic  card. For optimal performances, use 16 bit color
2009                     depth in the guest and the host OS. (This  card  was  the
2010                     default before QEMU 2.2)
2011
2012              std    Standard  VGA  card  with  Bochs  VBE extensions. If your
2013                     guest OS supports the VESA 2.0 VBE extensions (e.g.  Win‐
2014                     dows XP) and if you want to use high resolution modes (>=
2015                     1280x1024x16) then you should use this option. (This card
2016                     is the default since QEMU 2.2)
2017
2018              vmware VMWare  SVGA-II  compatible  adapter.  Use it if you have
2019                     sufficiently recent XFree86/XOrg server or Windows  guest
2020                     with a driver for this card.
2021
2022              qxl    QXL  paravirtual  graphic card. It is VGA compatible (in‐
2023                     cluding VESA 2.0 VBE support). Works best with qxl  guest
2024                     drivers  installed  though. Recommended choice when using
2025                     the spice protocol.
2026
2027              tcx    (sun4m only) Sun TCX framebuffer.  This  is  the  default
2028                     framebuffer  for sun4m machines and offers both 8-bit and
2029                     24-bit colour depths at a fixed resolution of 1024x768.
2030
2031              cg3    (sun4m only) Sun cgthree framebuffer. This  is  a  simple
2032                     8-bit  framebuffer  for  sun4m machines available in both
2033                     1024x768 (OpenBIOS) and 1152x900 (OBP) resolutions  aimed
2034                     at people wishing to run older Solaris versions.
2035
2036              virtio Virtio VGA card.
2037
2038              none   Disable VGA card.
2039
2040       -full-screen
2041              Start in full screen.
2042
2043       -g widthxheight[xdepth]
2044              Set  the  initial  graphical  resolution  and  depth (PPC, SPARC
2045              only).
2046
2047              For PPC the default is 800x600x32.
2048
2049              For  SPARC  with  the  TCX  graphics  device,  the  default   is
2050              1024x768x8  with the option of 1024x768x24. For cgthree, the de‐
2051              fault is 1024x768x8 with the option of 1152x900x8 for people who
2052              wish to use OBP.
2053
2054       -vnc display[,option[,option[,...]]]
2055              Normally,  if QEMU is compiled with graphical window support, it
2056              displays output such as guest graphics, guest console,  and  the
2057              QEMU  monitor  in  a window. With this option, you can have QEMU
2058              listen on VNC display display and redirect the VGA display  over
2059              the  VNC session. It is very useful to enable the usb tablet de‐
2060              vice when using this option (option  -device  usb-tablet).  When
2061              using  the VNC display, you must use the -k parameter to set the
2062              keyboard layout if you are not using en-us. Valid syntax for the
2063              display is
2064
2065              to=L   With  this  option, QEMU will try next available VNC dis‐
2066                     plays, until the number  L,  if  the  origianlly  defined
2067                     "-vnc  display"  is not available, e.g. port 5900+display
2068                     is already used by another application. By default, to=0.
2069
2070              host:d TCP connections will only be allowed from host on display
2071                     d. By convention the TCP port is 5900+d. Optionally, host
2072                     can be omitted in which case the server will accept  con‐
2073                     nections from any host.
2074
2075              unix:path
2076                     Connections  will  be  allowed  over  UNIX domain sockets
2077                     where path is the location of a unix socket to listen for
2078                     connections on.
2079
2080              none   VNC  is  initialized  but not started. The monitor change
2081                     command can be used to later start the VNC server.
2082
2083              Following the display value there may  be  one  or  more  option
2084              flags separated by commas. Valid options are
2085
2086              reverse=on|off
2087                     Connect to a listening VNC client via a "reverse" connec‐
2088                     tion.  The client is specified by the  display.  For  re‐
2089                     verse network connections (host:d,``reverse``), the d ar‐
2090                     gument is a TCP port number, not a display number.
2091
2092              websocket=on|off
2093                     Opens an additional TCP listening port dedicated  to  VNC
2094                     Websocket  connections.  If  a  bare  websocket option is
2095                     given, the Websocket port is 5700+display. An alternative
2096                     port can be specified with the syntax websocket=port.
2097
2098                     If  host  is  specified  connections will only be allowed
2099                     from this host. It is possible to control  the  websocket
2100                     listen  address  independently,  using  the  syntax  web‐
2101                     socket=host:port.
2102
2103                     If no TLS credentials are provided, the websocket connec‐
2104                     tion  runs  in  unencrypted  mode. If TLS credentials are
2105                     provided, the  websocket  connection  requires  encrypted
2106                     client connections.
2107
2108              password=on|off
2109                     Require  that  password  based authentication is used for
2110                     client connections.
2111
2112                     The password must be set separately using  the  set_pass‐
2113                     word  command  in  the QEMU Monitor. The syntax to change
2114                     your  password  is:  set_password  <protocol>  <password>
2115                     where <protocol> could be either "vnc" or "spice".
2116
2117                     If  you  would like to change <protocol> password expira‐
2118                     tion, you should use expire_password <protocol>  <expira‐
2119                     tion-time> where expiration time could be one of the fol‐
2120                     lowing options: now, never, +seconds or UNIX time of  ex‐
2121                     piration, e.g. +60 to make password expire in 60 seconds,
2122                     or 1335196800 to make password  expire  on  "Mon  Apr  23
2123                     12:00:00 EDT 2012" (UNIX time for this date and time).
2124
2125                     You  can also use keywords "now" or "never" for the expi‐
2126                     ration time to allow <protocol> password to expire  imme‐
2127                     diately or never expire.
2128
2129              password-secret=<secret-id>
2130                     Require  that  password  based authentication is used for
2131                     client connections, using the password  provided  by  the
2132                     secret object identified by secret-id.
2133
2134              tls-creds=ID
2135                     Provides the ID of a set of TLS credentials to use to se‐
2136                     cure the VNC server. They will apply to both  the  normal
2137                     VNC  server socket and the websocket socket (if enabled).
2138                     Setting TLS credentials will cause the VNC server  socket
2139                     to  enable  the  VeNCrypt auth mechanism. The credentials
2140                     should have been previously  created  using  the  -object
2141                     tls-creds argument.
2142
2143              tls-authz=ID
2144                     Provides  the  ID  of  the  QAuthZ  authorization  object
2145                     against which the client's x509 distinguished  name  will
2146                     validated.  This  object is only resolved at time of use,
2147                     so can be deleted and recreated on the fly while the  VNC
2148                     server  is active. If missing, it will default to denying
2149                     access.
2150
2151              sasl=on|off
2152                     Require that the client use SASL to authenticate with the
2153                     VNC  server.  The  exact  choice of authentication method
2154                     used is controlled from the system / user's SASL configu‐
2155                     ration  file  for  the  'qemu' service. This is typically
2156                     found in /etc/sasl2/qemu.conf. If running QEMU as an  un‐
2157                     privileged  user,  an environment variable SASL_CONF_PATH
2158                     can be used to make it search alternate locations for the
2159                     service  config.  While  some  SASL auth methods can also
2160                     provide data encryption (eg GSSAPI),  it  is  recommended
2161                     that  SASL  always  be combined with the 'tls' and 'x509'
2162                     settings to enable use of SSL  and  server  certificates.
2163                     This  ensures  a data encryption preventing compromise of
2164                     authentication credentials. See the VNC security  section
2165                     in  the System Emulation Users Guide for details on using
2166                     SASL authentication.
2167
2168              sasl-authz=ID
2169                     Provides  the  ID  of  the  QAuthZ  authorization  object
2170                     against  which the client's SASL username will validated.
2171                     This object is only resolved at time of use,  so  can  be
2172                     deleted  and recreated on the fly while the VNC server is
2173                     active. If missing, it will default to denying access.
2174
2175              acl=on|off
2176                     Legacy  method  for  enabling  authorization  of  clients
2177                     against the x509 distinguished name and SASL username. It
2178                     results in the creation of two  authz-list  objects  with
2179                     IDs  of  vnc.username  and  vnc.x509dname.  The rules for
2180                     these objects must be configured with the  HMP  ACL  com‐
2181                     mands.
2182
2183                     This  option  is deprecated and should no longer be used.
2184                     The new sasl-authz and tls-authz options are  a  replace‐
2185                     ment.
2186
2187              lossy=on|off
2188                     Enable  lossy  compression methods (gradient, JPEG, ...).
2189                     If this option is  set,  VNC  client  may  receive  lossy
2190                     framebuffer  updates  depending on its encoding settings.
2191                     Enabling this option can save a lot of bandwidth  at  the
2192                     expense of quality.
2193
2194              non-adaptive=on|off
2195                     Disable  adaptive  encodings.  Adaptive encodings are en‐
2196                     abled by default. An adaptive encoding will try to detect
2197                     frequently  updated  screen  regions, and send updates in
2198                     these regions using a lossy encoding  (like  JPEG).  This
2199                     can  be  really  helpful  to  save bandwidth when playing
2200                     videos. Disabling adaptive encodings restores the  origi‐
2201                     nal static behavior of encodings like Tight.
2202
2203              share=[allow-exclusive|force-shared|ignore]
2204                     Set  display  sharing  policy.  'allow-exclusive'  allows
2205                     clients to ask for exclusive access. As suggested by  the
2206                     rfb  spec  this  is implemented by dropping other connec‐
2207                     tions. Connecting multiple clients in  parallel  requires
2208                     all  clients  asking  for  a  shared  session (vncviewer:
2209                     -shared switch). This  is  the  default.   'force-shared'
2210                     disables exclusive client access. Useful for shared desk‐
2211                     top sessions, where you  don't  want  someone  forgetting
2212                     specify  -shared disconnect everybody else. 'ignore' com‐
2213                     pletely ignores the shared flag and allows everybody con‐
2214                     nect unconditionally. Doesn't conform to the rfb spec but
2215                     is traditional QEMU behavior.
2216
2217              key-delay-ms
2218                     Set keyboard delay, for key down and key  up  events,  in
2219                     milliseconds.  Default is 10. Keyboards are low-bandwidth
2220                     devices, so this slowdown can help the device  and  guest
2221                     to  keep up and not lose events in case events are arriv‐
2222                     ing in bulk.  Possible causes for the  latter  are  flaky
2223                     network connections, or scripts for automated testing.
2224
2225              audiodev=audiodev
2226                     Use  the  specified audiodev when the VNC client requests
2227                     audio transmission. When not using an -audiodev argument,
2228                     this option must be omitted, otherwise is must be present
2229                     and specify a valid audiodev.
2230
2231              power-control=on|off
2232                     Permit the remote client to issue shutdown, reboot or re‐
2233                     set power control requests.
2234
2235   i386 target only
2236       -win2k-hack
2237              Use  it  when  installing Windows 2000 to avoid a disk full bug.
2238              After Windows 2000 is installed, you no longer need this  option
2239              (this option slows down the IDE transfers).
2240
2241       -no-fd-bootchk
2242              Disable boot signature checking for floppy disks in BIOS. May be
2243              needed to boot from old floppy disks.
2244
2245       -no-acpi
2246              Disable ACPI (Advanced Configuration and Power  Interface)  sup‐
2247              port.  Use it if your guest OS complains about ACPI problems (PC
2248              target machine only).
2249
2250       -no-hpet
2251              Disable HPET support. Deprecated, use  '-machine  hpet=off'  in‐
2252              stead.
2253
2254       -acpitable                      [sig=str][,rev=n][,oem_id=str][,oem_ta‐
2255       ble_id=str][,oem_rev=n]                [,asl_compiler_id=str][,asl_com‐
2256       piler_rev=n][,data=file1[:file2]...]
2257              Add  ACPI  table  with  specified header fields and context from
2258              specified files. For file=, take whole ACPI table from the spec‐
2259              ified  files, including all ACPI headers (possible overridden by
2260              other options). For data=, only data portion  of  the  table  is
2261              used,  all  header information is specified in the command line.
2262              If a SLIC table is supplied to QEMU, then the SLIC's oem_id  and
2263              oem_table_id  fields  will override the same in the RSDT and the
2264              FADT (a.k.a.  FACP), in order to ensure the  field  matches  re‐
2265              quired by the Microsoft SLIC spec and the ACPI spec.
2266
2267       -smbios file=binary
2268              Load SMBIOS entry from binary file.
2269
2270       -smbios               type=0[,vendor=str][,version=str][,date=str][,re‐
2271       lease=%d.%d][,uefi=on|off]
2272              Specify SMBIOS type 0 fields
2273
2274       -smbios      type=1[,manufacturer=str][,product=str][,version=str][,se‐
2275       rial=str][,uuid=uuid][,sku=str][,family=str]
2276              Specify SMBIOS type 1 fields
2277
2278       -smbios      type=2[,manufacturer=str][,product=str][,version=str][,se‐
2279       rial=str][,asset=str][,location=str]
2280              Specify SMBIOS type 2 fields
2281
2282       -smbios       type=3[,manufacturer=str][,version=str][,serial=str][,as‐
2283       set=str][,sku=str]
2284              Specify SMBIOS type 3 fields
2285
2286       -smbios     type=4[,sock_pfx=str][,manufacturer=str][,version=str][,se‐
2287       rial=str][,asset=str][,part=str][,processor-id=%d]
2288              Specify SMBIOS type 4 fields
2289
2290       -smbios type=11[,value=str][,path=filename]
2291              Specify SMBIOS type 11 fields
2292
2293              This argument can be repeated multiple  times,  and  values  are
2294              added  in  the order they are parsed.  Applications intending to
2295              use OEM strings data are encouraged  to  use  their  application
2296              name  as a prefix for the value string. This facilitates passing
2297              information for multiple applications concurrently.
2298
2299              The value=str syntax provides the string data inline, while  the
2300              path=filename  syntax  loads data from a file on disk. Note that
2301              the file is not permitted to contain any NUL bytes.
2302
2303              Both the value and path options can be repeated  multiple  times
2304              and will be added to the SMBIOS table in the order in which they
2305              appear.
2306
2307              Note that on the x86 architecture, the total size of all  SMBIOS
2308              tables  is  limited to 65535 bytes. Thus the OEM strings data is
2309              not suitable for passing large amounts of data into  the  guest.
2310              Instead  it  should  be  used as a indicator to inform the guest
2311              where to locate the real data set, for  example,  by  specifying
2312              the serial ID of a block device.
2313
2314              An example passing three strings is
2315
2316                 -smbios type=11,value=cloud-init:ds=nocloud-net;s=http://10.10.0.1:8000/,\
2317                                 value=anaconda:method=http://dl.fedoraproject.org/pub/fedora/linux/releases/25/x86_64/os,\
2318                                 path=/some/file/with/oemstringsdata.txt
2319
2320              In the guest OS this is visible with the dmidecode command
2321
2322                     $ dmidecode -t 11
2323                     Handle 0x0E00, DMI type 11, 5 bytes
2324                     OEM Strings
2325                          String 1: cloud-init:ds=nocloud-net;s=http://10.10.0.1:8000/
2326                          String 2: anaconda:method=http://dl.fedoraproject.org/pub/fedora/linux/releases/25/x86_64/os
2327                          String 3: myapp:some extra data
2328
2329       -smbios        type=17[,loc_pfx=str][,bank=str][,manufacturer=str][,se‐
2330       rial=str][,asset=str][,part=str][,speed=%d]
2331              Specify SMBIOS type 17 fields
2332
2333       -smbios type=41[,designation=str][,kind=str][,instance=%d][,pcidev=str]
2334              Specify SMBIOS type 41 fields
2335
2336              This argument can be repeated multiple times.  Its main  use  is
2337              to  allow network interfaces be created as enoX on Linux, with X
2338              being the instance number, instead of the name depending on  the
2339              interface position on the PCI bus.
2340
2341              Here is an example of use:
2342
2343                 -netdev user,id=internet \
2344                 -device virtio-net-pci,mac=50:54:00:00:00:42,netdev=internet,id=internet-dev \
2345                 -smbios type=41,designation='Onboard LAN',instance=1,kind=ethernet,pcidev=internet-dev
2346
2347              In the guest OS, the device should then appear as eno1:
2348
2349              ..parsed-literal:
2350
2351                 $ ip -brief l
2352                 lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
2353                 eno1             UP             50:54:00:00:00:42 <BROADCAST,MULTICAST,UP,LOWER_UP>
2354
2355              Currently, the PCI device has to be attached to the root bus.
2356
2357   Network options
2358       -nic
2359       [tap|bridge|user|l2tpv3|vde|netmap|vhost-user|socket][,...][,mac=macaddr][,model=mn]
2360              This option is a shortcut for configuring both the on-board (de‐
2361              fault) guest NIC hardware and the host network  backend  in  one
2362              go.   The  host  backend options are the same as with the corre‐
2363              sponding -netdev options below. The guest NIC model can  be  set
2364              with  model=modelname.  Use model=help to list the available de‐
2365              vice  types.  The  hardware  MAC  address  can   be   set   with
2366              mac=macaddr.
2367
2368              The  following two example do exactly the same, to show how -nic
2369              can be used to shorten the command line length:
2370
2371                 qemu-system-x86_64 -netdev user,id=n1,ipv6=off -device e1000,netdev=n1,mac=52:54:98:76:54:32
2372                 qemu-system-x86_64 -nic user,ipv6=off,model=e1000,mac=52:54:98:76:54:32
2373
2374       -nic none
2375              Indicate that no network devices should  be  configured.  It  is
2376              used  to  override  the  default configuration (default NIC with
2377              "user" host network backend) which is activated if no other net‐
2378              working options are provided.
2379
2380       -netdev user,id=id[,option][,option][,...]
2381              Configure  user  mode host network backend which requires no ad‐
2382              ministrator privilege to run. Valid options are:
2383
2384              id=id  Assign symbolic name for use in monitor commands.
2385
2386              ipv4=on|off and ipv6=on|off
2387                     Specify that either IPv4 or IPv6 must be enabled. If nei‐
2388                     ther is specified both protocols are enabled.
2389
2390              net=addr[/mask]
2391                     Set  IP  network  address  the guest will see. Optionally
2392                     specify the netmask, either in the  form  a.b.c.d  or  as
2393                     number of valid top-most bits. Default is 10.0.2.0/24.
2394
2395              host=addr
2396                     Specify the guest-visible address of the host. Default is
2397                     the 2nd IP in the guest network, i.e. x.x.x.2.
2398
2399              ipv6-net=addr[/int]
2400                     Set IPv6 network address the guest will see  (default  is
2401                     fec0::/64).  The  network  prefix  is  given in the usual
2402                     hexadecimal IPv6 address notation. The prefix size is op‐
2403                     tional, and is given as the number of valid top-most bits
2404                     (default is 64).
2405
2406              ipv6-host=addr
2407                     Specify the guest-visible IPv6 address of the  host.  De‐
2408                     fault is the 2nd IPv6 in the guest network, i.e. xxxx::2.
2409
2410              restrict=on|off
2411                     If  this  option  is enabled, the guest will be isolated,
2412                     i.e. it will not be able to contact the host and no guest
2413                     IP  packets  will be routed over the host to the outside.
2414                     This option does not affect any explicitly set forwarding
2415                     rules.
2416
2417              hostname=name
2418                     Specifies  the  client  hostname reported by the built-in
2419                     DHCP server.
2420
2421              dhcpstart=addr
2422                     Specify the first of the 16 IPs the built-in DHCP  server
2423                     can  assign.  Default is the 15th to 31st IP in the guest
2424                     network, i.e. x.x.x.15 to x.x.x.31.
2425
2426              dns=addr
2427                     Specify the guest-visible address of  the  virtual  name‐
2428                     server.  The  address must be different from the host ad‐
2429                     dress. Default is the 3rd IP in the guest  network,  i.e.
2430                     x.x.x.3.
2431
2432              ipv6-dns=addr
2433                     Specify  the  guest-visible  address  of the IPv6 virtual
2434                     nameserver. The address must be different from  the  host
2435                     address.   Default  is  the  3rd IP in the guest network,
2436                     i.e. xxxx::3.
2437
2438              dnssearch=domain
2439                     Provides an entry for the domain-search list sent by  the
2440                     built-in  DHCP server. More than one domain suffix can be
2441                     transmitted by specifying this option multiple times.  If
2442                     supported, this will cause the guest to automatically try
2443                     to append the given domain suffix(es) in  case  a  domain
2444                     name can not be resolved.
2445
2446                     Example:
2447
2448                        qemu-system-x86_64 -nic user,dnssearch=mgmt.example.org,dnssearch=example.org
2449
2450              domainname=domain
2451                     Specifies the client domain name reported by the built-in
2452                     DHCP server.
2453
2454              tftp=dir
2455                     When using  the  user  mode  network  stack,  activate  a
2456                     built-in TFTP server. The files in dir will be exposed as
2457                     the root of a TFTP server. The TFTP client on  the  guest
2458                     must be configured in binary mode (use the command bin of
2459                     the Unix TFTP client).
2460
2461              tftp-server-name=name
2462                     In BOOTP reply, broadcast name as the "TFTP server  name"
2463                     (RFC2132 option 66). This can be used to advise the guest
2464                     to load boot files or  configurations  from  a  different
2465                     server than the host address.
2466
2467              bootfile=file
2468                     When using the user mode network stack, broadcast file as
2469                     the BOOTP filename. In conjunction with tftp, this can be
2470                     used to network boot a guest from a local directory.
2471
2472                     Example (using pxelinux):
2473
2474                        qemu-system-x86_64 -hda linux.img -boot n -device e1000,netdev=n1 \
2475                            -netdev user,id=n1,tftp=/path/to/tftp/files,bootfile=/pxelinux.0
2476
2477              smb=dir[,smbserver=addr]
2478                     When  using  the  user  mode  network  stack,  activate a
2479                     built-in SMB server so that Windows OSes  can  access  to
2480                     the  host  files  in dir transparently. The IP address of
2481                     the SMB server can be set to addr. By default the 4th  IP
2482                     in the guest network is used, i.e. x.x.x.4.
2483
2484                     In the guest Windows OS, the line:
2485
2486                        10.0.2.4 smbserver
2487
2488                     must be added in the file C:\WINDOWS\LMHOSTS (for windows
2489                     9x/Me) or C:\WINNT\SYSTEM32\DRIVERS\ETC\LMHOSTS  (Windows
2490                     NT/2000).
2491
2492                     Then dir can be accessed in \\smbserver\qemu.
2493
2494                     Note  that  a  SAMBA server must be installed on the host
2495                     OS.
2496
2497              hostfwd=[tcp|udp]:[hostaddr]:hostport-[guestaddr]:guestport
2498                     Redirect incoming TCP or UDP connections to the host port
2499                     hostport  to the guest IP address guestaddr on guest port
2500                     guestport. If guestaddr is not specified,  its  value  is
2501                     x.x.x.15  (default  first  address  given by the built-in
2502                     DHCP server). By specifying hostaddr,  the  rule  can  be
2503                     bound to a specific host interface. If no connection type
2504                     is set, TCP is used. This option can  be  given  multiple
2505                     times.
2506
2507                     For  example, to redirect host X11 connection from screen
2508                     1 to guest screen 0, use the following:
2509
2510                        # on the host
2511                        qemu-system-x86_64 -nic user,hostfwd=tcp:127.0.0.1:6001-:6000
2512                        # this host xterm should open in the guest X11 server
2513                        xterm -display :1
2514
2515                     To redirect telnet connections from  host  port  5555  to
2516                     telnet port on the guest, use the following:
2517
2518                        # on the host
2519                        qemu-system-x86_64 -nic user,hostfwd=tcp::5555-:23
2520                        telnet localhost 5555
2521
2522                     Then  when you use on the host telnet localhost 5555, you
2523                     connect to the guest telnet server.
2524
2525              guestfwd=[tcp]:server:port-dev;                           guest‐
2526              fwd=[tcp]:server:port-cmd:command
2527                     Forward guest TCP connections to the IP address server on
2528                     port port to the character device dev or to a program ex‐
2529                     ecuted by cmd:command which gets spawned for each connec‐
2530                     tion. This option can be given multiple times.
2531
2532                     You can either use a chardev directly and have  that  one
2533                     used  throughout  QEMU's  lifetime, like in the following
2534                     example:
2535
2536                        # open 10.10.1.1:4321 on bootup, connect 10.0.2.100:1234 to it whenever
2537                        # the guest accesses it
2538                        qemu-system-x86_64 -nic user,guestfwd=tcp:10.0.2.100:1234-tcp:10.10.1.1:4321
2539
2540                     Or you can execute a command on every TCP connection  es‐
2541                     tablished  by  the guest, so that QEMU behaves similar to
2542                     an inetd process for that virtual server:
2543
2544                        # call "netcat 10.10.1.1 4321" on every TCP connection to 10.0.2.100:1234
2545                        # and connect the TCP stream to its stdin/stdout
2546                        qemu-system-x86_64 -nic  'user,id=n1,guestfwd=tcp:10.0.2.100:1234-cmd:netcat 10.10.1.1 4321'
2547
2548       -netdev             tap,id=id[,fd=h][,ifname=name][,script=file][,down‐
2549       script=dfile][,br=bridge][,helper=helper]
2550              Configure a host TAP network backend with ID id.
2551
2552              Use  the  network  script  file  to configure it and the network
2553              script dfile to deconfigure it. If name is not provided, the  OS
2554              automatically provides one. The default network configure script
2555              is /etc/qemu-ifup and the default network deconfigure script  is
2556              /etc/qemu-ifdown.  Use  script=no  or  downscript=no  to disable
2557              script execution.
2558
2559              If running QEMU as an unprivileged user, use the network  helper
2560              to configure the TAP interface and attach it to the bridge.  The
2561              default network helper executable is /path/to/qemu-bridge-helper
2562              and the default bridge device is br0.
2563
2564              fd=h can be used to specify the handle of an already opened host
2565              TAP interface.
2566
2567              Examples:
2568
2569                 #launch a QEMU instance with the default network script
2570                 qemu-system-x86_64 linux.img -nic tap
2571
2572                 #launch a QEMU instance with two NICs, each one connected
2573                 #to a TAP device
2574                 qemu-system-x86_64 linux.img \
2575                         -netdev tap,id=nd0,ifname=tap0 -device e1000,netdev=nd0 \
2576                         -netdev tap,id=nd1,ifname=tap1 -device rtl8139,netdev=nd1
2577
2578                 #launch a QEMU instance with the default network helper to
2579                 #connect a TAP device to bridge br0
2580                 qemu-system-x86_64 linux.img -device virtio-net-pci,netdev=n1 \
2581                         -netdev tap,id=n1,"helper=/path/to/qemu-bridge-helper"
2582
2583       -netdev bridge,id=id[,br=bridge][,helper=helper]
2584              Connect a host TAP network interface to a host bridge device.
2585
2586              Use the network helper helper to configure the TAP interface and
2587              attach  it  to the bridge. The default network helper executable
2588              is /path/to/qemu-bridge-helper and the default bridge device  is
2589              br0.
2590
2591              Examples:
2592
2593                 #launch a QEMU instance with the default network helper to
2594                 #connect a TAP device to bridge br0
2595                 qemu-system-x86_64 linux.img -netdev bridge,id=n1 -device virtio-net,netdev=n1
2596
2597                 #launch a QEMU instance with the default network helper to
2598                 #connect a TAP device to bridge qemubr0
2599                 qemu-system-x86_64 linux.img -netdev bridge,br=qemubr0,id=n1 -device virtio-net,netdev=n1
2600
2601       -netdev socket,id=id[,fd=h][,listen=[host]:port][,connect=host:port]
2602              This  host  network  backend  can be used to connect the guest's
2603              network to another QEMU virtual machine using a TCP socket  con‐
2604              nection. If listen is specified, QEMU waits for incoming connec‐
2605              tions on port (host is optional). connect is used to connect  to
2606              another QEMU instance using the listen option. fd=h specifies an
2607              already opened TCP socket.
2608
2609              Example:
2610
2611                 # launch a first QEMU instance
2612                 qemu-system-x86_64 linux.img \
2613                                  -device e1000,netdev=n1,mac=52:54:00:12:34:56 \
2614                                  -netdev socket,id=n1,listen=:1234
2615                 # connect the network of this instance to the network of the first instance
2616                 qemu-system-x86_64 linux.img \
2617                                  -device e1000,netdev=n2,mac=52:54:00:12:34:57 \
2618                                  -netdev socket,id=n2,connect=127.0.0.1:1234
2619
2620       -netdev socket,id=id[,fd=h][,mcast=maddr:port[,localaddr=addr]]
2621              Configure a socket host network backend  to  share  the  guest's
2622              network  traffic  with another QEMU virtual machines using a UDP
2623              multicast socket, effectively making a bus for every  QEMU  with
2624              same multicast address maddr and port. NOTES:
2625
2626              1. Several QEMU can be running on different hosts and share same
2627                 bus (assuming correct multicast setup for these hosts).
2628
2629              2. mcast support is compatible with User  Mode  Linux  (argument
2630                 ethN=mcast), see http://user-mode-linux.sf.net.
2631
2632              3. Use fd=h to specify an already opened UDP multicast socket.
2633
2634              Example:
2635
2636                 # launch one QEMU instance
2637                 qemu-system-x86_64 linux.img \
2638                                  -device e1000,netdev=n1,mac=52:54:00:12:34:56 \
2639                                  -netdev socket,id=n1,mcast=230.0.0.1:1234
2640                 # launch another QEMU instance on same "bus"
2641                 qemu-system-x86_64 linux.img \
2642                                  -device e1000,netdev=n2,mac=52:54:00:12:34:57 \
2643                                  -netdev socket,id=n2,mcast=230.0.0.1:1234
2644                 # launch yet another QEMU instance on same "bus"
2645                 qemu-system-x86_64 linux.img \
2646                                  -device e1000,netdev=n3,mac=52:54:00:12:34:58 \
2647                                  -netdev socket,id=n3,mcast=230.0.0.1:1234
2648
2649              Example (User Mode Linux compat.):
2650
2651                 # launch QEMU instance (note mcast address selected is UML's default)
2652                 qemu-system-x86_64 linux.img \
2653                                  -device e1000,netdev=n1,mac=52:54:00:12:34:56 \
2654                                  -netdev socket,id=n1,mcast=239.192.168.1:1102
2655                 # launch UML
2656                 /path/to/linux ubd0=/path/to/root_fs eth0=mcast
2657
2658              Example (send packets from host's 1.2.3.4):
2659
2660                 qemu-system-x86_64 linux.img \
2661                                  -device e1000,netdev=n1,mac=52:54:00:12:34:56 \
2662                                  -netdev socket,id=n1,mcast=239.192.168.1:1102,localaddr=1.2.3.4
2663
2664       -netdev    l2tpv3,id=id,src=srcaddr,dst=dstaddr[,srcport=srcport][,dst‐
2665       port=dstport],txsession=txsession[,rxsession=rxses‐
2666       sion][,ipv6=on|off][,udp=on|off][,cookie64][,counter][,pincounter][,tx‐
2667       cookie=txcookie][,rxcookie=rxcookie][,offset=offset]
2668              Configure a  L2TPv3  pseudowire  host  network  backend.  L2TPv3
2669              (RFC3931) is a popular protocol to transport Ethernet (and other
2670              Layer 2) data frames between  two  systems.  It  is  present  in
2671              routers,  firewalls  and  the Linux kernel (from version 3.3 on‐
2672              wards).
2673
2674              This transport allows a VM to communicate to another VM,  router
2675              or firewall directly.
2676
2677              src=srcaddr
2678                     source address (mandatory)
2679
2680              dst=dstaddr
2681                     destination address (mandatory)
2682
2683              udp    select udp encapsulation (default is ip).
2684
2685              srcport=srcport
2686                     source udp port.
2687
2688              dstport=dstport
2689                     destination udp port.
2690
2691              ipv6   force v6, otherwise defaults to v4.
2692
2693              rxcookie=rxcookie; txcookie=txcookie
2694                     Cookies  are a weak form of security in the l2tpv3 speci‐
2695                     fication.  Their function is mostly to prevent misconfig‐
2696                     uration. By default they are 32 bit.
2697
2698              cookie64
2699                     Set cookie size to 64 bit instead of the default 32
2700
2701              counter=off
2702                     Force   a   'cut-down'  L2TPv3  with  no  counter  as  in
2703                     draft-mkonstan-l2tpext-keyed-ipv6-tunnel-00
2704
2705              pincounter=on
2706                     Work around broken counter handling  in  peer.  This  may
2707                     also help on networks which have packet reorder.
2708
2709              offset=offset
2710                     Add an extra offset between header and data
2711
2712              For  example,  to attach a VM running on host 4.3.2.1 via L2TPv3
2713              to the bridge br-lan on the remote Linux host 1.2.3.4:
2714
2715                 # Setup tunnel on linux host using raw ip as encapsulation
2716                 # on 1.2.3.4
2717                 ip l2tp add tunnel remote 4.3.2.1 local 1.2.3.4 tunnel_id 1 peer_tunnel_id 1 \
2718                     encap udp udp_sport 16384 udp_dport 16384
2719                 ip l2tp add session tunnel_id 1 name vmtunnel0 session_id \
2720                     0xFFFFFFFF peer_session_id 0xFFFFFFFF
2721                 ifconfig vmtunnel0 mtu 1500
2722                 ifconfig vmtunnel0 up
2723                 brctl addif br-lan vmtunnel0
2724
2725
2726                 # on 4.3.2.1
2727                 # launch QEMU instance - if your network has reorder or is very lossy add ,pincounter
2728
2729                 qemu-system-x86_64 linux.img -device e1000,netdev=n1 \
2730                     -netdev l2tpv3,id=n1,src=4.2.3.1,dst=1.2.3.4,udp,srcport=16384,dstport=16384,rxsession=0xffffffff,txsession=0xffffffff,counter
2731
2732       -netdev              vde,id=id[,sock=socketpath][,port=n][,group=group‐
2733       name][,mode=octalmode]
2734              Configure  VDE backend to connect to PORT n of a vde switch run‐
2735              ning on host and listening for incoming connections  on  socket‐
2736              path.  Use  GROUP groupname and MODE octalmode to change default
2737              ownership and permissions for communication port. This option is
2738              only  available  if  QEMU has been compiled with vde support en‐
2739              abled.
2740
2741              Example:
2742
2743                 # launch vde switch
2744                 vde_switch -F -sock /tmp/myswitch
2745                 # launch QEMU instance
2746                 qemu-system-x86_64 linux.img -nic vde,sock=/tmp/myswitch
2747
2748       -netdev vhost-user,chardev=id[,vhostforce=on|off][,queues=n]
2749              Establish a vhost-user netdev,  backed  by  a  chardev  id.  The
2750              chardev   should  be  a  unix  domain  socket  backed  one.  The
2751              vhost-user uses a specifically defined protocol  to  pass  vhost
2752              ioctl replacement messages to an application on the other end of
2753              the socket. On non-MSIX guests, the feature can be  forced  with
2754              vhostforce. Use 'queues=n' to specify the number of queues to be
2755              created for multiqueue vhost-user.
2756
2757              Example:
2758
2759                 qemu -m 512 -object memory-backend-file,id=mem,size=512M,mem-path=/hugetlbfs,share=on \
2760                      -numa node,memdev=mem \
2761                      -chardev socket,id=chr0,path=/path/to/socket \
2762                      -netdev type=vhost-user,id=net0,chardev=chr0 \
2763                      -device virtio-net-pci,netdev=net0
2764
2765       -netdev vhost-vdpa[,vhostdev=/path/to/dev][,vhostfd=h]
2766              Establish a vhost-vdpa netdev.
2767
2768              vDPA device is a device that uses a datapath which complies with
2769              the  virtio  specifications with a vendor specific control path.
2770              vDPA devices can be both physically located on the  hardware  or
2771              emulated by software.
2772
2773       -netdev hubport,id=id,hubid=hubid[,netdev=nd]
2774              Create a hub port on the emulated hub with ID hubid.
2775
2776              The hubport netdev lets you connect a NIC to a QEMU emulated hub
2777              instead of a single netdev. Alternatively, you can also  connect
2778              the  hubport to another netdev with ID nd by using the netdev=nd
2779              option.
2780
2781       -net                         nic[,netdev=nd][,macaddr=mac][,model=type]
2782       [,name=name][,addr=addr][,vectors=v]
2783              Legacy option to configure or create an on-board (or machine de‐
2784              fault) Network Interface Card(NIC) and connect it either to  the
2785              emulated  hub with ID 0 (i.e. the default hub), or to the netdev
2786              nd.  If model is omitted, then the default NIC model  associated
2787              with  the  machine type is used. Note that the default NIC model
2788              may change in future QEMU releases, so it is highly  recommended
2789              to  always  specify  a model. Optionally, the MAC address can be
2790              changed to mac, the device address set to addr (PCI cards only),
2791              and  a name can be assigned for use in monitor commands. Option‐
2792              ally, for PCI cards, you can specify the number v of MSI-X  vec‐
2793              tors  that  the card should have; this option currently only af‐
2794              fects virtio cards; set v = 0 to disable MSI-X. If no  -net  op‐
2795              tion  is  specified,  a  single NIC is created. QEMU can emulate
2796              several  different   models   of   network   card.    Use   -net
2797              nic,model=help for a list of available devices for your target.
2798
2799       -net user|tap|bridge|socket|l2tpv3|vde[,...][,name=name]
2800              Configure a host network backend (with the options corresponding
2801              to the same -netdev option) and connect it to the emulated hub 0
2802              (the default hub). Use name to specify the name of the hub port.
2803
2804   Character device options
2805       The general form of a character device option is:
2806
2807       -chardev backend,id=id[,mux=on|off][,options]
2808              Backend  is  one  of:  null,  socket, udp, msmouse, vc, ringbuf,
2809              file, pipe, console,  serial,  pty,  stdio,  braille,  parallel,
2810              spicevmc, spiceport. The specific backend will determine the ap‐
2811              plicable options.
2812
2813              Use -chardev help to print all available chardev backend types.
2814
2815              All devices must have an id, which can be any string up  to  127
2816              characters  long. It is used to uniquely identify this device in
2817              other command line directives.
2818
2819              A character device may be used in multiplexing mode by  multiple
2820              front-ends. Specify mux=on to enable this mode. A multiplexer is
2821              a "1:N" device, and here the "1" end is your  specified  chardev
2822              backend,  and  the "N" end is the various parts of QEMU that can
2823              talk to a chardev. If you create  a  chardev  with  id=myid  and
2824              mux=on,  QEMU  will create a multiplexer with your specified ID,
2825              and you can then configure  multiple  front  ends  to  use  that
2826              chardev  ID  for  their input/output. Up to four different front
2827              ends can be connected to a single multiplexed chardev.  (Without
2828              multiplexing  enabled,  a  chardev  can only be used by a single
2829              front end.) For instance you could use this to  allow  a  single
2830              stdio  chardev to be used by two serial ports and the QEMU moni‐
2831              tor:
2832
2833                 -chardev stdio,mux=on,id=char0 \
2834                 -mon chardev=char0,mode=readline \
2835                 -serial chardev:char0 \
2836                 -serial chardev:char0
2837
2838              You can have more than one multiplexer in  a  system  configura‐
2839              tion; for instance you could have a TCP port multiplexed between
2840              UART 0 and UART 1, and stdio multiplexed between the QEMU  moni‐
2841              tor and a parallel port:
2842
2843                 -chardev stdio,mux=on,id=char0 \
2844                 -mon chardev=char0,mode=readline \
2845                 -parallel chardev:char0 \
2846                 -chardev tcp,...,mux=on,id=char1 \
2847                 -serial chardev:char1 \
2848                 -serial chardev:char1
2849
2850              When  you're  using  a multiplexed character device, some escape
2851              sequences are interpreted in the input. See  the  chapter  about
2852              Keys  in  the character backend multiplexer in the System Emula‐
2853              tion Users Guide for more details.
2854
2855              Note that some other command line options may implicitly  create
2856              multiplexed  character  backends; for instance -serial mon:stdio
2857              creates a multiplexed stdio backend connected to the serial port
2858              and  the  QEMU monitor, and -nographic also multiplexes the con‐
2859              sole and the monitor to stdio.
2860
2861              There is currently no support for multiplexing in the other  di‐
2862              rection  (where  a  single QEMU front end takes input and output
2863              from multiple chardevs).
2864
2865              Every backend supports the logfile option,  which  supplies  the
2866              path  to  a file to record all data transmitted via the backend.
2867              The logappend option controls whether the log file will be trun‐
2868              cated or appended to when opened.
2869
2870       The available backends are:
2871
2872       -chardev null,id=id
2873              A void device. This device will not emit any data, and will drop
2874              any data it receives. The null backend does  not  take  any  op‐
2875              tions.
2876
2877       -chardev      socket,id=id[,TCP      options      or      unix      op‐
2878       tions][,server=on|off][,wait=on|off][,telnet=on|off][,web‐
2879       socket=on|off][,reconnect=seconds][,tls-creds=id][,tls-authz=id]
2880              Create  a  two-way stream socket, which can be either a TCP or a
2881              unix socket. A unix socket will be created if path is specified.
2882              Behaviour  is  undefined if TCP options are specified for a unix
2883              socket.
2884
2885              server=on|off specifies that the socket  shall  be  a  listening
2886              socket.
2887
2888              wait=on|off  specifies  that QEMU should not block waiting for a
2889              client to connect to a listening socket.
2890
2891              telnet=on|off specifies that traffic on the socket should inter‐
2892              pret telnet escape sequences.
2893
2894              websocket=on|off specifies that the socket uses WebSocket proto‐
2895              col for communication.
2896
2897              reconnect sets the timeout for reconnecting on non-server  sock‐
2898              ets  when  the  remote  end goes away. qemu will delay this many
2899              seconds and then attempt to reconnect. Zero disables  reconnect‐
2900              ing, and is the default.
2901
2902              tls-creds  requests  enablement  of the TLS protocol for encryp‐
2903              tion, and specifies the id of the TLS credentials to use for the
2904              handshake.  The  credentials must be previously created with the
2905              -object tls-creds argument.
2906
2907              tls-auth provides the ID  of  the  QAuthZ  authorization  object
2908              against which the client's x509 distinguished name will be vali‐
2909              dated. This object is only resolved at time of use,  so  can  be
2910              deleted and recreated on the fly while the chardev server is ac‐
2911              tive.  If missing, it will default to denying access.
2912
2913              TCP and unix socket options are given below:
2914
2915              TCP                                                     options:
2916              port=port[,host=host][,to=to][,ipv4=on|off][,ipv6=on|off][,node‐
2917              lay=on|off]
2918                     host for a listening socket specifies the  local  address
2919                     to  be  bound. For a connecting socket species the remote
2920                     host to connect to. host is optional for listening  sock‐
2921                     ets. If not specified it defaults to 0.0.0.0.
2922
2923                     port  for  a listening socket specifies the local port to
2924                     be bound. For a connecting socket specifies the  port  on
2925                     the  remote  host to connect to. port can be given as ei‐
2926                     ther a port number or a service name. port is required.
2927
2928                     to is only relevant to listening sockets. If it is speci‐
2929                     fied, and port cannot be bound, QEMU will attempt to bind
2930                     to subsequent ports up to and including to until it  suc‐
2931                     ceeds. to must be specified as a port number.
2932
2933                     ipv4=on|off  and  ipv6=on|off specify that either IPv4 or
2934                     IPv6 must be used. If neither is specified the socket may
2935                     use either protocol.
2936
2937                     nodelay=on|off disables the Nagle algorithm.
2938
2939              unix options: path=path[,abstract=on|off][,tight=on|off]
2940                     path specifies the local path of the unix socket. path is
2941                     required.  abstract=on|off specifies the use of  the  ab‐
2942                     stract socket namespace, rather than the filesystem.  Op‐
2943                     tional, defaults to false.  tight=on|off sets the  socket
2944                     length  of abstract sockets to their minimum, rather than
2945                     the full sun_path length.  Optional, defaults to true.
2946
2947       -chardev  udp,id=id[,host=host],port=port[,localaddr=localaddr][,local‐
2948       port=localport][,ipv4=on|off][,ipv6=on|off]
2949              Sends all traffic from the guest to a remote host over UDP.
2950
2951              host  specifies  the remote host to connect to. If not specified
2952              it defaults to localhost.
2953
2954              port specifies the port on the remote host to connect to.   port
2955              is required.
2956
2957              localaddr  specifies the local address to bind to. If not speci‐
2958              fied it defaults to 0.0.0.0.
2959
2960              localport specifies the local port to bind to. If not  specified
2961              any available local port will be used.
2962
2963              ipv4=on|off  and  ipv6=on|off  specify  that either IPv4 or IPv6
2964              must be used.  If neither is specified the device may use either
2965              protocol.
2966
2967       -chardev msmouse,id=id
2968              Forward  QEMU's  emulated  msmouse  events to the guest. msmouse
2969              does not take any options.
2970
2971       -chardev
2972       vc,id=id[[,width=width][,height=height]][[,cols=cols][,rows=rows]]
2973              Connect  to  a  QEMU  text console. vc may optionally be given a
2974              specific size.
2975
2976              width and height specify the width and  height  respectively  of
2977              the console, in pixels.
2978
2979              cols  and  rows  specify that the console be sized to fit a text
2980              console with the given dimensions.
2981
2982       -chardev ringbuf,id=id[,size=size]
2983              Create a ring buffer with fixed size size. size must be a  power
2984              of two and defaults to 64K.
2985
2986       -chardev file,id=id,path=path[,input-path=input-path]
2987              Log all traffic received from the guest to a file.
2988
2989              path specifies the path of the file to be opened. This file will
2990              be created if it does not already exist, and overwritten  if  it
2991              does.  path is required.
2992
2993              If  input-path  is  specified, this is the path of a second file
2994              which will be used for input. If input-path is not specified, no
2995              input will be available from the chardev.
2996
2997              Note that input-path is not supported on Windows hosts.
2998
2999       -chardev pipe,id=id,path=path
3000              Create  a two-way connection to the guest. The behaviour differs
3001              slightly between Windows hosts and other hosts:
3002
3003              On  Windows,  a  single  duplex  pipe   will   be   created   at
3004              \\.pipe\path.
3005
3006              On  other  hosts,  2  pipes  will  be created called path.in and
3007              path.out. Data written to path.in will be received by the guest.
3008              Data  written  by the guest can be read from path.out. QEMU will
3009              not create these fifos, and requires them to be present.
3010
3011              path forms part of the pipe path as described above. path is re‐
3012              quired.
3013
3014       -chardev console,id=id
3015              Send  traffic  from the guest to QEMU's standard output. console
3016              does not take any options.
3017
3018              console is only available on Windows hosts.
3019
3020       -chardev serial,id=id,path=path
3021              Send traffic from the guest to a serial device on the host.
3022
3023              On Unix hosts serial will actually accept any  tty  device,  not
3024              only serial lines.
3025
3026              path specifies the name of the serial device to open.
3027
3028       -chardev pty,id=id
3029              Create  a new pseudo-terminal on the host and connect to it. pty
3030              does not take any options.
3031
3032              pty is not available on Windows hosts.
3033
3034       -chardev stdio,id=id[,signal=on|off]
3035              Connect to standard  input  and  standard  output  of  the  QEMU
3036              process.
3037
3038              signal controls if signals are enabled on the terminal, that in‐
3039              cludes exiting QEMU with the key sequence Control-c. This option
3040              is enabled by default, use signal=off to disable it.
3041
3042       -chardev braille,id=id
3043              Connect  to a local BrlAPI server. braille does not take any op‐
3044              tions.
3045
3046       -chardev parallel,id=id,path=path
3047
3048              parallel is only available on Linux, FreeBSD and DragonFlyBSD
3049                     hosts.
3050
3051                     Connect to a local parallel port.
3052
3053                     path specifies the path to the parallel port device. path
3054                     is required.
3055
3056       -chardev spicevmc,id=id,debug=debug,name=name
3057              spicevmc is only available when spice support is built in.
3058
3059              debug debug level for spicevmc
3060
3061              name name of spice channel to connect to
3062
3063              Connect to a spice virtual machine channel, such as vdiport.
3064
3065       -chardev spiceport,id=id,debug=debug,name=name
3066              spiceport is only available when spice support is built in.
3067
3068              debug debug level for spicevmc
3069
3070              name name of spice port to connect to
3071
3072              Connect  to  a spice port, allowing a Spice client to handle the
3073              traffic identified by a name (preferably a fqdn).
3074
3075   TPM device options
3076       The general form of a TPM device option is:
3077
3078       -tpmdev backend,id=id[,options]
3079              The specific backend type will determine the applicable options.
3080              The  -tpmdev  option creates the TPM backend and requires a -de‐
3081              vice option that specifies the TPM frontend interface model.
3082
3083              Use -tpmdev help to print all available TPM backend types.
3084
3085       The available backends are:
3086
3087       -tpmdev passthrough,id=id,path=path,cancel-path=cancel-path
3088              (Linux-host only) Enable access to  the  host's  TPM  using  the
3089              passthrough driver.
3090
3091              path  specifies  the  path  to the host's TPM device, i.e., on a
3092              Linux host this would be /dev/tpm0. path is optional and by  de‐
3093              fault /dev/tpm0 is used.
3094
3095              cancel-path  specifies  the  path to the host TPM device's sysfs
3096              entry allowing for cancellation of an ongoing TPM command.  can‐
3097              cel-path  is  optional  and  by default QEMU will search for the
3098              sysfs entry to use.
3099
3100              Some notes about using  the  host's  TPM  with  the  passthrough
3101              driver:
3102
3103              The  TPM  device  accessed by the passthrough driver must not be
3104              used by any other application on the host.
3105
3106              Since the host's firmware (BIOS/UEFI)  has  already  initialized
3107              the  TPM, the VM's firmware (BIOS/UEFI) will not be able to ini‐
3108              tialize the TPM again and may therefore not show a  TPM-specific
3109              menu  that  would otherwise allow the user to configure the TPM,
3110              e.g., allow the user to  enable/disable  or  activate/deactivate
3111              the  TPM. Further, if TPM ownership is released from within a VM
3112              then the host's TPM will get disabled and deactivated. To enable
3113              and  activate  the  TPM again afterwards, the host has to be re‐
3114              booted and the user is required to enter the firmware's menu  to
3115              enable  and activate the TPM. If the TPM is left disabled and/or
3116              deactivated most TPM commands will fail.
3117
3118              To create a passthrough TPM use the following two options:
3119
3120                 -tpmdev passthrough,id=tpm0 -device tpm-tis,tpmdev=tpm0
3121
3122              Note that the -tpmdev id  is  tpm0  and  is  referenced  by  tp‐
3123              mdev=tpm0 in the device option.
3124
3125       -tpmdev emulator,id=id,chardev=dev
3126              (Linux-host only) Enable access to a TPM emulator using Unix do‐
3127              main socket based chardev backend.
3128
3129              chardev specifies the unique ID of a  character  device  backend
3130              that provides connection to the software TPM server.
3131
3132              To  create  a  TPM  emulator  backend device with chardev socket
3133              backend:
3134
3135                 -chardev socket,id=chrtpm,path=/tmp/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0
3136
3137   Boot Image or Kernel specific
3138       There are broadly 4 ways you can boot a system with QEMU.
3139
3140          • specify a firmware and let it control finding a kernel
3141
3142          • specify a firmware and pass a hint to the kernel to boot
3143
3144          • direct kernel image boot
3145
3146          • manually load files into the guest's address space
3147
3148       The third method is useful for quickly testing kernels but as there  is
3149       no  firmware  to pass configuration information to the kernel the hard‐
3150       ware must either be probeable, the kernel built for the exact  configu‐
3151       ration  or passed some configuration data (e.g. a DTB blob) which tells
3152       the kernel what drivers it needs. This exact details are often hardware
3153       specific.
3154
3155       The  final  method  is  the most generic way of loading images into the
3156       guest address space and used mostly for  bare  metal  type  development
3157       where the reset vectors of the processor are taken into account.
3158
3159       For  x86  machines and some other architectures -bios will generally do
3160       the right thing with whatever it is given. For other machines the  more
3161       strict -pflash option needs an image that is sized for the flash device
3162       for the given machine type.
3163
3164       Please see the QEMU System Emulator Targets section of the  manual  for
3165       more detailed documentation.
3166
3167       -bios file
3168              Set the filename for the BIOS.
3169
3170       -pflash file
3171              Use file as a parallel flash image.
3172
3173       The  kernel  options  were designed to work with Linux kernels although
3174       other things (like hypervisors) can be packaged up  as  a  kernel  exe‐
3175       cutable image. The exact format of a executable image is usually archi‐
3176       tecture specific.
3177
3178       The way in which the kernel is started (what address it is  loaded  at,
3179       what if any information is passed to it via CPU registers, the state of
3180       the hardware when it is started, and so on) is also  architecture  spe‐
3181       cific.  Typically  it  follows the specification laid down by the Linux
3182       kernel for how kernels for that architecture must be started.
3183
3184       -kernel bzImage
3185              Use bzImage as kernel image. The kernel can be  either  a  Linux
3186              kernel or in multiboot format.
3187
3188       -append cmdline
3189              Use cmdline as kernel command line
3190
3191       -initrd file
3192              Use file as initial ram disk.
3193
3194       -initrd "file1 arg=foo,file2"
3195              This syntax is only available with multiboot.
3196
3197              Use  file1 and file2 as modules and pass arg=foo as parameter to
3198              the first module.
3199
3200       -dtb file
3201              Use file as a device tree binary (dtb) image and pass it to  the
3202              kernel on boot.
3203
3204       Finally  you  can  also  manually load images directly into the address
3205       space of the guest. This is most useful for developers who already know
3206       the  layout  of their guest and take care to ensure something sane will
3207       happen when the reset vector executes.
3208
3209       The generic loader can be invoked by using the loader device:
3210
3211       -device
3212       loader,addr=<addr>,data=<data>,data-len=<data-len>[,data-be=<data-be>][,cpu-num=<cpu-num>]
3213
3214       there is also the guest loader which operates  in  a  similar  way  but
3215       tweaks  the  DTB  so a hypervisor loaded via -kernel can find where the
3216       guest image is:
3217
3218       -device        guest-loader,addr=<addr>[,kernel=<path>,[bootargs=<argu‐
3219       ments>]][,initrd=<path>]
3220
3221   Debug/Expert options
3222       -compat          [deprecated-input=@var{input-policy}][,deprecated-out‐
3223       put=@var{output-policy}]
3224              Set policy for handling deprecated management interfaces (exper‐
3225              imental):
3226
3227              deprecated-input=accept (default)
3228                     Accept deprecated commands and arguments
3229
3230              deprecated-input=reject
3231                     Reject deprecated commands and arguments
3232
3233              deprecated-input=crash
3234                     Crash on deprecated commands and arguments
3235
3236              deprecated-output=accept (default)
3237                     Emit deprecated command results and events
3238
3239              deprecated-output=hide
3240                     Suppress deprecated command results and events
3241
3242              Limitation: covers only syntactic aspects of QMP.
3243
3244       -compat  [unstable-input=@var{input-policy}][,unstable-output=@var{out‐
3245       put-policy}]
3246              Set policy for handling unstable management interfaces  (experi‐
3247              mental):
3248
3249              unstable-input=accept (default)
3250                     Accept unstable commands and arguments
3251
3252              unstable-input=reject
3253                     Reject unstable commands and arguments
3254
3255              unstable-input=crash
3256                     Crash on unstable commands and arguments
3257
3258              unstable-output=accept (default)
3259                     Emit unstable command results and events
3260
3261              unstable-output=hide
3262                     Suppress unstable command results and events
3263
3264              Limitation: covers only syntactic aspects of QMP.
3265
3266       -fw_cfg [name=]name,file=file
3267              Add named fw_cfg entry with contents from file file.
3268
3269       -fw_cfg [name=]name,string=str
3270              Add named fw_cfg entry with contents from string str.
3271
3272              The terminating NUL character of the contents of str will not be
3273              included as part of the fw_cfg item  data.  To  insert  contents
3274              with  embedded  NUL characters, you have to use the file parame‐
3275              ter.
3276
3277              The fw_cfg entries are passed by QEMU through to the guest.
3278
3279              Example:
3280
3281                 -fw_cfg name=opt/com.mycompany/blob,file=./my_blob.bin
3282
3283              creates an fw_cfg entry named opt/com.mycompany/blob  with  con‐
3284              tents from ./my_blob.bin.
3285
3286       -serial dev
3287              Redirect  the  virtual serial port to host character device dev.
3288              The default device is vc in graphical  mode  and  stdio  in  non
3289              graphical mode.
3290
3291              This option can be used several times to simulate up to 4 serial
3292              ports.
3293
3294              Use -serial none to disable all serial ports.
3295
3296              Available character devices are:
3297
3298              vc[:WxH]
3299                     Virtual console. Optionally, a width and  height  can  be
3300                     given in pixel with
3301
3302                        vc:800x600
3303
3304                     It is also possible to specify width or height in charac‐
3305                     ters:
3306
3307                        vc:80Cx24C
3308
3309              pty    [Linux only] Pseudo TTY (a new PTY is automatically allo‐
3310                     cated)
3311
3312              none   No device is allocated.
3313
3314              null   void device
3315
3316              chardev:id
3317                     Use  a  named  character device defined with the -chardev
3318                     option.
3319
3320              /dev/XXX
3321                     [Linux only] Use host tty, e.g. /dev/ttyS0. The host  se‐
3322                     rial  port  parameters  are set according to the emulated
3323                     ones.
3324
3325              /dev/parportN
3326                     [Linux only, parallel port only] Use host  parallel  port
3327                     N.   Currently  SPP and EPP parallel port features can be
3328                     used.
3329
3330              file:filename
3331                     Write output to filename. No character can be read.
3332
3333              stdio  [Unix only] standard input/output
3334
3335              pipe:filename
3336                     name pipe filename
3337
3338              COMn   [Windows only] Use host serial port n
3339
3340              udp:[remote_host]:remote_port[@[src_ip]:src_port]
3341                     This implements UDP  Net  Console.  When  remote_host  or
3342                     src_ip  are  not  specified they default to 0.0.0.0. When
3343                     not using a specified src_port a random port is automati‐
3344                     cally chosen.
3345
3346                     If  you  just  want a simple readonly console you can use
3347                     netcat or nc, by starting QEMU  with:  -serial  udp::4555
3348                     and  nc  as: nc -u -l -p 4555. Any time QEMU writes some‐
3349                     thing to that port it will appear in the netconsole  ses‐
3350                     sion.
3351
3352                     If you plan to send characters back via netconsole or you
3353                     want to stop and start QEMU a lot of  times,  you  should
3354                     have  QEMU  use  the  same source port each time by using
3355                     something like -serial udp::4555@:4556 to  QEMU.  Another
3356                     approach  is to use a patched version of netcat which can
3357                     listen to a TCP port and send and receive characters  via
3358                     udp.  If you have a patched version of netcat which acti‐
3359                     vates telnet remote echo and single char  transfer,  then
3360                     you  can  use  the  following  options to set up a netcat
3361                     redirector to allow telnet on port  5555  to  access  the
3362                     QEMU port.
3363
3364                     QEMU Options:
3365                            -serial udp::4555@:4556
3366
3367                     netcat options:
3368                            -u -P 4555 -L 0.0.0.0:4556 -t -p 5555 -I -T
3369
3370                     telnet options:
3371                            localhost 5555
3372
3373              tcp:[host]:port[,server=on|off][,wait=on|off][,node‐
3374              lay=on|off][,reconnect=seconds]
3375                     The TCP Net Console has two modes of  operation.  It  can
3376                     send  the  serial I/O to a location or wait for a connec‐
3377                     tion from a location. By default the TCP Net  Console  is
3378                     sent to host at the port. If you use the server=on option
3379                     QEMU will wait for a client socket application to connect
3380                     to the port before continuing, unless the wait=on|off op‐
3381                     tion was specified. The  nodelay=on|off  option  disables
3382                     the  Nagle  buffering  algorithm. The reconnect=on option
3383                     only applies if server=no is set, if the connection  goes
3384                     down  it will attempt to reconnect at the given interval.
3385                     If host is omitted, 0.0.0.0 is assumed. Only one TCP con‐
3386                     nection  at  a time is accepted. You can use telnet=on to
3387                     connect to the corresponding character device.
3388
3389                     Example to send tcp console to 192.168.0.2 port 4444
3390                            -serial tcp:192.168.0.2:4444
3391
3392                     Example to listen and wait on port 4444 for connection
3393                            -serial tcp::4444,server=on
3394
3395                     Example to not wait and listen on ip  192.168.0.100  port
3396                     4444
3397                            -serial tcp:192.168.0.100:4444,server=on,wait=off
3398
3399              telnet:host:port[,server=on|off][,wait=on|off][,nodelay=on|off]
3400                     The  telnet  protocol is used instead of raw tcp sockets.
3401                     The options work the same as if you had specified -serial
3402                     tcp.   The difference is that the port acts like a telnet
3403                     server or client using telnet  option  negotiation.  This
3404                     will  also  allow you to send the MAGIC_SYSRQ sequence if
3405                     you use a telnet that  supports  sending  the  break  se‐
3406                     quence. Typically in unix telnet you do it with Control-]
3407                     and then type "send break" followed by pressing the enter
3408                     key.
3409
3410              websocket:host:port,server=on[,wait=on|off][,nodelay=on|off]
3411                     The WebSocket protocol is used instead of raw tcp socket.
3412                     The port acts as a WebSocket server. Client mode  is  not
3413                     supported.
3414
3415              unix:path[,server=on|off][,wait=on|off][,reconnect=seconds]
3416                     A unix domain socket is used instead of a tcp socket. The
3417                     option works the same as if you had specified -serial tcp
3418                     except  the  unix  domain socket path is used for connec‐
3419                     tions.
3420
3421              mon:dev_string
3422                     This is a special option to allow the monitor to be  mul‐
3423                     tiplexed  onto  another  serial  port. The monitor is ac‐
3424                     cessed with key sequence of Control-a and  then  pressing
3425                     c.  dev_string  should  be  any one of the serial devices
3426                     specified above. An example to multiplex the monitor onto
3427                     a telnet server listening on port 4444 would be:
3428
3429                     -serial mon:telnet::4444,server=on,wait=off
3430
3431                     When  the  monitor  is  multiplexed to stdio in this way,
3432                     Ctrl+C will not terminate  QEMU  any  more  but  will  be
3433                     passed to the guest instead.
3434
3435              braille
3436                     Braille  device.  This  will  use  BrlAPI  to display the
3437                     braille output on a real or fake device.
3438
3439              msmouse
3440                     Three button serial mouse. Configure the guest to use Mi‐
3441                     crosoft protocol.
3442
3443       -parallel dev
3444              Redirect  the virtual parallel port to host device dev (same de‐
3445              vices as the serial port). On Linux hosts, /dev/parportN can  be
3446              used to use hardware devices connected on the corresponding host
3447              parallel port.
3448
3449              This option can be used several times to simulate up to 3 paral‐
3450              lel ports.
3451
3452              Use -parallel none to disable all parallel ports.
3453
3454       -monitor dev
3455              Redirect the monitor to host device dev (same devices as the se‐
3456              rial port). The default device is vc in graphical mode and stdio
3457              in  non graphical mode. Use -monitor none to disable the default
3458              monitor.
3459
3460       -qmp dev
3461              Like -monitor but opens in 'control' mode. For example, to  make
3462              QMP available on localhost port 4444:
3463
3464                 -qmp tcp:localhost:4444,server=on,wait=off
3465
3466              Not  all  options  are configurable via this syntax; for maximum
3467              flexibility use the -mon option and an accompanying -chardev.
3468
3469       -qmp-pretty dev
3470              Like -qmp but uses pretty JSON formatting.
3471
3472       -mon [chardev=]name[,mode=readline|control][,pretty[=on|off]]
3473              Set up a monitor connected to the chardev name.   QEMU  supports
3474              two  monitors: the Human Monitor Protocol (HMP; for human inter‐
3475              action), and the QEMU Monitor Protocol (QMP;  a  JSON  RPC-style
3476              protocol).   The  default  is  HMP; mode=control selects QMP in‐
3477              stead.  pretty is only valid when mode=control, turning on  JSON
3478              pretty printing to ease human reading and debugging.
3479
3480              For example:
3481
3482                 -chardev socket,id=mon1,host=localhost,port=4444,server=on,wait=off \
3483                 -mon chardev=mon1,mode=control,pretty=on
3484
3485              enables   the   QMP   monitor   on   localhost  port  4444  with
3486              pretty-printing.
3487
3488       -debugcon dev
3489              Redirect the debug console to host device dev (same  devices  as
3490              the serial port). The debug console is an I/O port which is typ‐
3491              ically port 0xe9; writing to that I/O port sends output to  this
3492              device.  The default device is vc in graphical mode and stdio in
3493              non graphical mode.
3494
3495       -pidfile file
3496              Store the QEMU process PID in file. It is useful if  you  launch
3497              QEMU from a script.
3498
3499       -singlestep
3500              This  is  a  deprecated synonym for the TCG accelerator property
3501              one-insn-per-tb.
3502
3503       --preconfig
3504              Pause QEMU for interactive configuration before the  machine  is
3505              created,  which  allows querying and configuring properties that
3506              will affect machine initialization. Use QMP command 'x-exit-pre‐
3507              config'  to  exit the preconfig state and move to the next state
3508              (i.e. run guest if -S isn't used or pause the second time if  -S
3509              is used). This option is experimental.
3510
3511       -S     Do not start CPU at startup (you must type 'c' in the monitor).
3512
3513       -overcommit mem-lock=on|off
3514
3515
3516       -overcommit cpu-pm=on|off
3517              Run  qemu with hints about host resource overcommit. The default
3518              is to assume that host overcommits all resources.
3519
3520              Locking qemu and guest memory can  be  enabled  via  mem-lock=on
3521              (disabled  by default). This works when host memory is not over‐
3522              committed and reduces the worst-case latency for guest.
3523
3524              Guest ability to manage power state of host cpus (increasing la‐
3525              tency  for  other processes on the same host cpu, but decreasing
3526              latency for guest) can be enabled via cpu-pm=on (disabled by de‐
3527              fault). This works best when host CPU is not overcommitted. When
3528              used, host estimates of CPU cycle and power utilization will  be
3529              incorrect, not taking into account guest idle time.
3530
3531       -gdb dev
3532              Accept a gdb connection on device dev (see the GDB usage chapter
3533              in the System Emulation Users Guide). Note that this option does
3534              not  pause  QEMU  execution -- if you want QEMU to not start the
3535              guest until you connect with gdb and issue a  continue  command,
3536              you will need to also pass the -S option to QEMU.
3537
3538              The most usual configuration is to listen on a local TCP socket:
3539
3540                 -gdb tcp::3117
3541
3542              but  you  can  specify  other backends; UDP, pseudo TTY, or even
3543              stdio are all reasonable use cases. For example, a stdio connec‐
3544              tion  allows you to start QEMU from within gdb and establish the
3545              connection via a pipe:
3546
3547                 (gdb) target remote | exec qemu-system-x86_64 -gdb stdio ...
3548
3549       -s     Shorthand for -gdb tcp::1234, i.e. open a gdbserver on TCP  port
3550              1234  (see  the  GDB usage chapter in the System Emulation Users
3551              Guide).
3552
3553       -d item1[,...]
3554              Enable logging of specified items. Use '-d help' for a  list  of
3555              log items.
3556
3557       -D logfile
3558              Output log in logfile instead of to stderr
3559
3560       -dfilter range1[,...]
3561              Filter  debug  output  to that relevant to a range of target ad‐
3562              dresses.  The filter spec can be either  start+size,  start-size
3563              or  start..end  where  start  end and size are the addresses and
3564              sizes required. For example:
3565
3566                 -dfilter 0x8000..0x8fff,0xffffffc000080000+0x200,0xffffffc000060000-0x1000
3567
3568              Will dump output for any code in the 0x1000 sized block starting
3569              at    0x8000   and   the   0x200   sized   block   starting   at
3570              0xffffffc000080000 and another 0x1000 sized  block  starting  at
3571              0xffffffc00005f000.
3572
3573       -seed number
3574              Force the guest to use a deterministic pseudo-random number gen‐
3575              erator, seeded with number. This does not affect crypto routines
3576              within the host.
3577
3578       -L path
3579              Set the directory for the BIOS, VGA BIOS and keymaps.
3580
3581              To list all the data directories, use -L help.
3582
3583       -enable-kvm
3584              Enable  KVM  full  virtualization  support.  This option is only
3585              available if KVM support is enabled when compiling.
3586
3587       -xen-domid id
3588              Specify xen guest domain id (XEN only).
3589
3590       -xen-attach
3591              Attach to existing xen domain. libxl will use this when starting
3592              QEMU  (XEN  only).  Restrict  set of available xen operations to
3593              specified domain id (XEN only).
3594
3595       -no-reboot
3596              Exit instead of rebooting.
3597
3598       -no-shutdown
3599              Don't exit QEMU on guest shutdown, but instead only stop the em‐
3600              ulation. This allows for instance switching to monitor to commit
3601              changes to the disk image.
3602
3603       -action event=action
3604              The action parameter serves to modify  QEMU's  default  behavior
3605              when  certain  guest  events occur. It provides a generic method
3606              for specifying the same  behaviors  that  are  modified  by  the
3607              -no-reboot and -no-shutdown parameters.
3608
3609              Examples:
3610
3611              -action  panic=none  -action reboot=shutdown,shutdown=pause -de‐
3612              vice i6300esb -action watchdog=pause
3613
3614       -loadvm file
3615              Start right away with a saved state (loadvm in monitor)
3616
3617       -daemonize
3618              Daemonize the QEMU process after initialization. QEMU  will  not
3619              detach from standard IO until it is ready to receive connections
3620              on any of its devices. This option is a useful way for  external
3621              programs  to launch QEMU without having to cope with initializa‐
3622              tion race conditions.
3623
3624       -option-rom file
3625              Load the contents of file as an option ROM. This option is  use‐
3626              ful to load things like EtherBoot.
3627
3628       -rtc           [base=utc|localtime|datetime][,clock=host|rt|vm][,drift‐
3629       fix=none|slew]
3630              Specify base as utc or localtime to let the  RTC  start  at  the
3631              current  UTC  or local time, respectively. localtime is required
3632              for correct date in MS-DOS or Windows. To start  at  a  specific
3633              point    in    time,    provide    datetime    in   the   format
3634              2006-06-17T16:01:21 or 2006-06-17. The default base is UTC.
3635
3636              By default the RTC is driven by the host system time.  This  al‐
3637              lows  using  of  the  RTC as accurate reference clock inside the
3638              guest, specifically if the host time is  smoothly  following  an
3639              accurate  external reference clock, e.g. via NTP. If you want to
3640              isolate the guest time from the host, you can set  clock  to  rt
3641              instead,  which  provides a host monotonic clock if host support
3642              it. To even prevent the RTC from progressing during  suspension,
3643              you  can  set  clock to vm (virtual clock). 'clock=vm' is recom‐
3644              mended especially in icount mode in order to preserve  determin‐
3645              ism;  however, note that in icount mode the speed of the virtual
3646              clock is variable and can in general differ from the host clock.
3647
3648              Enable driftfix (i386 targets only) if you experience time drift
3649              problems,  specifically with Windows' ACPI HAL. This option will
3650              try to figure out how many timer interrupts were  not  processed
3651              by the Windows guest and will re-inject them.
3652
3653       -icount     [shift=N|auto][,align=on|off][,sleep=on|off][,rr=record|re‐
3654       play,rrfile=filename[,rrsnapshot=snapshot]]
3655              Enable virtual instruction counter. The virtual cpu will execute
3656              one  instruction every 2^N ns of virtual time. If auto is speci‐
3657              fied then the virtual cpu speed will be  automatically  adjusted
3658              to keep virtual time within a few seconds of real time.
3659
3660              Note  that while this option can give deterministic behavior, it
3661              does not provide cycle accurate emulation. Modern  CPUs  contain
3662              superscalar  out  of order cores with complex cache hierarchies.
3663              The number of instructions executed often has little or no  cor‐
3664              relation with actual performance.
3665
3666              When  the virtual cpu is sleeping, the virtual time will advance
3667              at default speed unless sleep=on is  specified.  With  sleep=on,
3668              the  virtual time will jump to the next timer deadline instantly
3669              whenever the virtual cpu goes to sleep mode and will not advance
3670              if no timer is enabled. This behavior gives deterministic execu‐
3671              tion times from the guest point of view.  The default if  icount
3672              is  enabled is sleep=off.  sleep=on cannot be used together with
3673              either shift=auto or align=on.
3674
3675              align=on will activate the delay algorithm  which  will  try  to
3676              synchronise the host clock and the virtual clock. The goal is to
3677              have a guest running at the real frequency imposed by the  shift
3678              option. Whenever the guest clock is behind the host clock and if
3679              align=on is specified then we print a message to the user to in‐
3680              form  about  the delay. Currently this option does not work when
3681              shift is auto. Note: The sync  algorithm  will  work  for  those
3682              shift  values  for  which the guest clock runs ahead of the host
3683              clock.  Typically this happens when the shift value is high (how
3684              high  depends on the host machine). The default if icount is en‐
3685              abled is align=off.
3686
3687              When the rr option is specified deterministic  record/replay  is
3688              enabled. The rrfile= option must also be provided to specify the
3689              path to the replay log. In record mode data is written  to  this
3690              file, and in replay mode it is read back.  If the rrsnapshot op‐
3691              tion is given then it specifies a VM snapshot  name.  In  record
3692              mode,  a  new  VM snapshot with the given name is created at the
3693              start of execution recording. In replay mode this option  speci‐
3694              fies the snapshot name used to load the initial VM state.
3695
3696       -watchdog-action action
3697              The  action  controls  what QEMU will do when the watchdog timer
3698              expires. The default is  reset  (forcefully  reset  the  guest).
3699              Other  possible  actions  are:  shutdown  (attempt to gracefully
3700              shutdown the guest), poweroff (forcefully poweroff  the  guest),
3701              inject-nmi  (inject  a  NMI  into  the  guest), pause (pause the
3702              guest), debug (print a debug message and continue), or none  (do
3703              nothing).
3704
3705              Note  that  the shutdown action requires that the guest responds
3706              to ACPI signals, which it may not be able to do in the  sort  of
3707              situations  where  the  watchdog  would  have  expired, and thus
3708              -watchdog-action shutdown is not recommended for production use.
3709
3710              Examples:
3711
3712              -device i6300esb -watchdog-action pause
3713
3714       -echr numeric_ascii_value
3715              Change the escape character used for switching  to  the  monitor
3716              when  using monitor and serial sharing. The default is 0x01 when
3717              using the -nographic option. 0x01  is  equal  to  pressing  Con‐
3718              trol-a. You can select a different character from the ascii con‐
3719              trol keys where 1 through 26 map to Control-a through Control-z.
3720              For instance you could use the either of the following to change
3721              the escape character to Control-t.
3722
3723              -echr 0x14; -echr 20
3724
3725       -incoming tcp:[host]:port[,to=maxport][,ipv4=on|off][,ipv6=on|off]
3726
3727
3728       -incoming rdma:host:port[,ipv4=on|off][,ipv6=on|off]
3729              Prepare for incoming migration, listen on a given tcp port.
3730
3731       -incoming unix:socketpath
3732              Prepare for incoming migration, listen on a given unix socket.
3733
3734       -incoming fd:fd
3735              Accept incoming migration from a given filedescriptor.
3736
3737       -incoming exec:cmdline
3738              Accept incoming migration as an output from  specified  external
3739              command.
3740
3741       -incoming defer
3742              Wait for the URI to be specified via migrate_incoming. The moni‐
3743              tor can be used to change settings (such  as  migration  parame‐
3744              ters)  prior to issuing the migrate_incoming to allow the migra‐
3745              tion to begin.
3746
3747       -only-migratable
3748              Only allow migratable devices. Devices will not  be  allowed  to
3749              enter an unmigratable state.
3750
3751       -nodefaults
3752              Don't  create  default  devices. Normally, QEMU sets the default
3753              devices like serial port, parallel port, virtual console,  moni‐
3754              tor device, VGA adapter, floppy and CD-ROM drive and others. The
3755              -nodefaults option will disable all those default devices.
3756
3757       -chroot dir
3758              Deprecated, use '-run-with chroot=...' instead.  Immediately be‐
3759              fore  starting  guest  execution, chroot to the specified direc‐
3760              tory. Especially useful in combination with -runas.
3761
3762       -runas user
3763              Immediately before starting guest execution,  drop  root  privi‐
3764              leges, switching to the specified user.
3765
3766       -prom-env variable=value
3767              Set OpenBIOS nvram variable to given value (PPC, SPARC only).
3768
3769                 qemu-system-sparc -prom-env 'auto-boot?=false' \
3770                  -prom-env 'boot-device=sd(0,2,0):d' -prom-env 'boot-args=linux single'
3771
3772                 qemu-system-ppc -prom-env 'auto-boot?=false' \
3773                  -prom-env 'boot-device=hd:2,\yaboot' \
3774                  -prom-env 'boot-args=conf=hd:2,\yaboot.conf'
3775
3776       -semihosting
3777              Enable  Semihosting  mode  (ARM,  M68K,  Xtensa,  MIPS, Nios II,
3778              RISC-V only).
3779
3780              WARNING:
3781                 Note that  this  allows  guest  direct  access  to  the  host
3782                 filesystem, so should only be used with a trusted guest OS.
3783
3784              See the -semihosting-config option documentation for further in‐
3785              formation about the facilities this enables.
3786
3787       -semihosting-config                         [enable=on|off][,target=na‐
3788       tive|gdb|auto][,chardev=id][,userspace=on|off][,arg=str[,...]]
3789              Enable  and configure Semihosting (ARM, M68K, Xtensa, MIPS, Nios
3790              II, RISC-V only).
3791
3792              WARNING:
3793                 Note that  this  allows  guest  direct  access  to  the  host
3794                 filesystem, so should only be used with a trusted guest OS.
3795
3796              target=native|gdb|auto
3797                     Defines where the semihosting calls will be addressed, to
3798                     QEMU (native) or to GDB (gdb). The default is auto, which
3799                     means gdb during debug sessions and native otherwise.
3800
3801              chardev=str1
3802                     Send the output to a chardev backend output for native or
3803                     auto output when not in gdb
3804
3805              userspace=on|off
3806                     Allows code running in  guest  userspace  to  access  the
3807                     semihosting  interface.  The  default is that only privi‐
3808                     leged guest code can make semihosting  calls.  Note  that
3809                     setting  userspace=on  should  only  be used if all guest
3810                     code is trusted (for example,  in  bare-metal  test  case
3811                     code).
3812
3813              arg=str1,arg=str2,...
3814                     Allows  the user to pass input arguments, and can be used
3815                     multiple times to build up a list.  The  old-style  -ker‐
3816                     nel/-append  method  of  passing  a command line is still
3817                     supported for backward compatibility. If both the --semi‐
3818                     hosting-config arg and the -kernel/-append are specified,
3819                     the former is passed to semihosting as  it  always  takes
3820                     precedence.
3821
3822       -old-param
3823              Old param mode (ARM only).
3824
3825       -sandbox                           arg[,obsolete=string][,elevateprivi‐
3826       leges=string][,spawn=string][,resourcecontrol=string]
3827              Enable Seccomp mode 2  system  call  filter.  'on'  will  enable
3828              syscall  filtering  and  'off'  will  disable it. The default is
3829              'off'.
3830
3831              obsolete=string
3832                     Enable Obsolete system calls
3833
3834              elevateprivileges=string
3835                     Disable set*uid|gid system calls
3836
3837              spawn=string
3838                     Disable *fork and execve
3839
3840              resourcecontrol=string
3841                     Disable process affinity and schedular priority
3842
3843       -readconfig file
3844              Read device configuration from file.  This  approach  is  useful
3845              when  you  want to spawn QEMU process with many command line op‐
3846              tions but you don't want to exceed the  command  line  character
3847              limit.
3848
3849       -no-user-config
3850              The  -no-user-config  option  makes  QEMU  not  load  any of the
3851              user-provided config files on sysconfdir.
3852
3853       -trace [[enable=]pattern][,events=file][,file=file]
3854              Specify tracing options.
3855
3856              [enable=]PATTERN
3857                 Immediately enable events matching PATTERN (either event name
3858                 or  a  globbing  pattern).   This option is only available if
3859                 QEMU has been compiled with the simple, log or ftrace tracing
3860                 backend.  To specify multiple events or patterns, specify the
3861                 -trace option multiple times.
3862
3863                 Use -trace help to print a list of names of trace points.
3864
3865              events=FILE
3866                 Immediately enable events listed in FILE.  The file must con‐
3867                 tain  one event name (as listed in the trace-events-all file)
3868                 per line; globbing patterns are accepted too.  This option is
3869                 only available if QEMU has been compiled with the simple, log
3870                 or ftrace tracing backend.
3871
3872              file=FILE
3873                 Log output traces to FILE.  This option is only available  if
3874                 QEMU has been compiled with the simple tracing backend.
3875
3876       -plugin file=file[,argname=argvalue]
3877              Load a plugin.
3878
3879              file=file
3880                     Load the given plugin from a shared library file.
3881
3882              argname=argvalue
3883                     Argument  passed  to  the  plugin. (Can be given multiple
3884                     times.)
3885
3886       -async-teardown
3887              This option is deprecated and should no longer be used. The  new
3888              option -run-with async-teardown=on is a replacement.
3889
3890       -run-with [async-teardown=on|off][,chroot=dir]
3891              Set QEMU process lifecycle options.
3892
3893              async-teardown=on  enables  asynchronous teardown. A new process
3894              called "cleanup/<QEMU_PID>" will be created at  startup  sharing
3895              the  address  space  with the main QEMU process, using clone. It
3896              will wait for the main QEMU process to terminate completely, and
3897              then  exit.  This  allows QEMU to terminate very quickly even if
3898              the guest was huge, leaving the teardown of the address space to
3899              the  cleanup  process. Since the cleanup process shares the same
3900              cgroups as the main QEMU process, accounting is  performed  cor‐
3901              rectly. This only works if the cleanup process is not forcefully
3902              killed with SIGKILL before the main QEMU process has  terminated
3903              completely.
3904
3905              chroot=dir  can  be used for doing a chroot to the specified di‐
3906              rectory immediately before starting the guest execution. This is
3907              especially useful in combination with -runas.
3908
3909       -msg [timestamp[=on|off]][,guest-name[=on|off]]
3910              Control error message format.
3911
3912              timestamp=on|off
3913                     Prefix messages with a timestamp. Default is off.
3914
3915              guest-name=on|off
3916                     Prefix  messages  with guest name but only if -name guest
3917                     option is set otherwise the option is ignored. Default is
3918                     off.
3919
3920       -dump-vmstate file
3921              Dump  json-encoded  vmstate information for current machine type
3922              to file in file
3923
3924       -enable-sync-profile
3925              Enable synchronization profiling.
3926
3927       -perfmap
3928              Generate a map file for Linux perf tools that will  allow  basic
3929              profiling information to be broken down into basic blocks.
3930
3931       -jitdump
3932              Generate a dump file for Linux perf tools that maps basic blocks
3933              to symbol names, line numbers and JITted code.
3934
3935   Generic object creation
3936       -object typename[,prop1=value1,...]
3937              Create a new object of type typename setting properties  in  the
3938              order  they  are  specified. Note that the 'id' property must be
3939              set. These objects are placed in the '/objects' path.
3940
3941              -object                                             memory-back‐
3942              end-file,id=id,size=size,mem-path=dir,share=on|off,dis‐
3943              card-data=on|off,merge=on|off,dump=on|off,preal‐
3944              loc=on|off,host-nodes=host-nodes,policy=default|pre‐
3945              ferred|bind|interleave,align=align,offset=offset,readonly=on|off
3946                     Creates a memory file backend object, which can  be  used
3947                     to back the guest RAM with huge pages.
3948
3949                     The id parameter is a unique ID that will be used to ref‐
3950                     erence this  memory  region  in  other  parameters,  e.g.
3951                     -numa, -device nvdimm, etc.
3952
3953                     The  size  option provides the size of the memory region,
3954                     and accepts common suffixes, e.g. 500M.
3955
3956                     The mem-path provides the path to either a shared  memory
3957                     or huge page filesystem mount.
3958
3959                     The  share  boolean  option determines whether the memory
3960                     region is marked as private to QEMU, or shared. The  lat‐
3961                     ter  allows a co-operating external process to access the
3962                     QEMU memory region.
3963
3964                     The share is also required for pvrdma devices due to lim‐
3965                     itations in the RDMA API provided by Linux.
3966
3967                     Setting  share=on  might  affect the ability to configure
3968                     NUMA bindings for the memory backend under  some  circum‐
3969                     stances,  see  Documentation/vm/numa_memory_policy.txt on
3970                     the Linux kernel source tree for additional details.
3971
3972                     Setting the discard-data boolean option to  on  indicates
3973                     that  file  contents can be destroyed when QEMU exits, to
3974                     avoid unnecessarily flushing data to  the  backing  file.
3975                     Note  that discard-data is only an optimization, and QEMU
3976                     might not discard file contents if it aborts unexpectedly
3977                     or is terminated using SIGKILL.
3978
3979                     The merge boolean option enables memory merge, also known
3980                     as MADV_MERGEABLE, so that Kernel Samepage  Merging  will
3981                     consider the pages for memory deduplication.
3982
3983                     Setting  the dump boolean option to off excludes the mem‐
3984                     ory from core  dumps.  This  feature  is  also  known  as
3985                     MADV_DONTDUMP.
3986
3987                     The prealloc boolean option enables memory preallocation.
3988
3989                     The host-nodes option binds the memory range to a list of
3990                     NUMA host nodes.
3991
3992                     The policy option sets the NUMA policy to one of the fol‐
3993                     lowing values:
3994
3995                     default
3996                            default host policy
3997
3998                     preferred
3999                            prefer the given host node list for allocation
4000
4001                     bind   restrict  memory allocation to the given host node
4002                            list
4003
4004                     interleave
4005                            interleave memory  allocations  across  the  given
4006                            host node list
4007
4008                     The  align  option  specifies  the base address alignment
4009                     when QEMU mmap(2) mem-path, and accepts common  suffixes,
4010                     eg  2M. Some backend store specified by mem-path requires
4011                     an alignment different than the default one used by QEMU,
4012                     eg  the  device  DAX  /dev/dax0.0  requires  2M alignment
4013                     rather than 4K. In such cases, users can specify the  re‐
4014                     quired alignment via this option.
4015
4016                     The  offset  option  specifies the offset into the target
4017                     file that the region starts at. You can use this  parame‐
4018                     ter to back multiple regions with a single file.
4019
4020                     The pmem option specifies whether the backing file speci‐
4021                     fied by mem-path is in host persistent memory that can be
4022                     accessed using the SNIA NVM programming model (e.g. Intel
4023                     NVDIMM). If pmem is set to 'on', QEMU will take necessary
4024                     operations to guarantee the persistence of its own writes
4025                     to mem-path (e.g. in vNVDIMM label emulation and live mi‐
4026                     gration).   Also,  we  will  map  the  backend-file  with
4027                     MAP_SYNC flag, which ensures the file metadata is in sync
4028                     for  mem-path  in  case of host crash or a power failure.
4029                     MAP_SYNC requires  support  from  both  the  host  kernel
4030                     (since  Linux kernel 4.15) and the filesystem of mem-path
4031                     mounted with DAX option.
4032
4033                     The readonly option specifies whether the backing file is
4034                     opened read-only or read-write (default).
4035
4036              -object                                             memory-back‐
4037              end-ram,id=id,merge=on|off,dump=on|off,share=on|off,preal‐
4038              loc=on|off,size=size,host-nodes=host-nodes,policy=default|pre‐
4039              ferred|bind|interleave
4040                     Creates a memory backend object, which  can  be  used  to
4041                     back  the  guest  RAM.  Memory backend objects offer more
4042                     control than the -m option that is traditionally used  to
4043                     define  guest  RAM.   Please refer to memory-backend-file
4044                     for a description of the options.
4045
4046              -object                                             memory-back‐
4047              end-memfd,id=id,merge=on|off,dump=on|off,share=on|off,preal‐
4048              loc=on|off,size=size,host-nodes=host-nodes,policy=default|pre‐
4049              ferred|bind|interleave,seal=on|off,hugetlb=on|off,hugetlb‐
4050              size=size
4051                     Creates an anonymous memory file  backend  object,  which
4052                     allows  QEMU to share the memory with an external process
4053                     (e.g. when using vhost-user).  The  memory  is  allocated
4054                     with memfd and optional sealing. (Linux only)
4055
4056                     The  seal  option  creates a sealed-file, that will block
4057                     further resizing the memory ('on' by default).
4058
4059                     The hugetlb option specify the file to be created resides
4060                     in  the  hugetlbfs filesystem (since Linux 4.14). Used in
4061                     conjunction with the hugetlb option, the hugetlbsize  op‐
4062                     tion  specify  the hugetlb page size on systems that sup‐
4063                     port multiple hugetlb page sizes (it must be a power of 2
4064                     value supported by the system).
4065
4066                     In  some  versions of Linux, the hugetlb option is incom‐
4067                     patible with the seal option  (requires  at  least  Linux
4068                     4.16).
4069
4070                     Please  refer to memory-backend-file for a description of
4071                     the other options.
4072
4073                     The share boolean option is on by default with memfd.
4074
4075              -object rng-builtin,id=id
4076                     Creates a random number generator backend  which  obtains
4077                     entropy  from QEMU builtin functions. The id parameter is
4078                     a unique ID that will be used to reference  this  entropy
4079                     backend  from the virtio-rng device. By default, the vir‐
4080                     tio-rng device uses this RNG backend.
4081
4082              -object rng-random,id=id,filename=/dev/random
4083                     Creates a random number generator backend  which  obtains
4084                     entropy  from a device on the host. The id parameter is a
4085                     unique ID that will be used  to  reference  this  entropy
4086                     backend  from the virtio-rng device. The filename parame‐
4087                     ter specifies which file to obtain entropy  from  and  if
4088                     omitted defaults to /dev/urandom.
4089
4090              -object rng-egd,id=id,chardev=chardevid
4091                     Creates  a  random number generator backend which obtains
4092                     entropy from an external daemon running on the host.  The
4093                     id  parameter  is a unique ID that will be used to refer‐
4094                     ence this entropy backend from the virtio-rng device. The
4095                     chardev  parameter is the unique ID of a character device
4096                     backend that provides the connection to the RNG daemon.
4097
4098              -object                       tls-creds-anon,id=id,endpoint=end‐
4099              point,dir=/path/to/cred/dir,verify-peer=on|off
4100                     Creates  a TLS anonymous credentials object, which can be
4101                     used to provide TLS support on network backends.  The  id
4102                     parameter  is a unique ID which network backends will use
4103                     to access the credentials. The endpoint is either  server
4104                     or  client  depending on whether the QEMU network backend
4105                     that uses the credentials will be acting as a  client  or
4106                     as a server. If verify-peer is enabled (the default) then
4107                     once the handshake is  completed,  the  peer  credentials
4108                     will  be  verified,  though this is a no-op for anonymous
4109                     credentials.
4110
4111                     The dir parameter tells QEMU where to find the credential
4112                     files.   For server endpoints, this directory may contain
4113                     a file dh-params.pem providing diffie-hellman  parameters
4114                     to  use  for the TLS server. If the file is missing, QEMU
4115                     will generate a set of DH parameters at startup. This  is
4116                     a  computationally expensive operation that consumes ran‐
4117                     dom pool entropy, so it is recommended that a  persistent
4118                     set of parameters be generated upfront and saved.
4119
4120              -object                        tls-creds-psk,id=id,endpoint=end‐
4121              point,dir=/path/to/keys/dir[,username=username]
4122                     Creates a TLS Pre-Shared Keys (PSK)  credentials  object,
4123                     which can be used to provide TLS support on network back‐
4124                     ends. The id parameter is a unique ID which network back‐
4125                     ends  will use to access the credentials. The endpoint is
4126                     either server or client depending  on  whether  the  QEMU
4127                     network  backend that uses the credentials will be acting
4128                     as a client or as a server.  For clients  only,  username
4129                     is  the  username  which  will  be sent to the server. If
4130                     omitted it defaults to "qemu".
4131
4132                     The dir parameter tells QEMU where to find the keys file.
4133                     It  is  called "dir/keys.psk" and contains "username:key"
4134                     pairs. This file can most easily  be  created  using  the
4135                     GnuTLS psktool program.
4136
4137                     For  server  endpoints,  dir  may  also  contain  a  file
4138                     dh-params.pem providing diffie-hellman parameters to  use
4139                     for  the  TLS  server.  If the file is missing, QEMU will
4140                     generate a set of DH parameters at  startup.  This  is  a
4141                     computationally  expensive operation that consumes random
4142                     pool entropy, so it is recommended that a persistent  set
4143                     of parameters be generated up front and saved.
4144
4145              -object                       tls-creds-x509,id=id,endpoint=end‐
4146              point,dir=/path/to/cred/dir,priority=priority,ver‐
4147              ify-peer=on|off,passwordid=id
4148                     Creates  a TLS anonymous credentials object, which can be
4149                     used to provide TLS support on network backends.  The  id
4150                     parameter  is a unique ID which network backends will use
4151                     to access the credentials. The endpoint is either  server
4152                     or  client  depending on whether the QEMU network backend
4153                     that uses the credentials will be acting as a  client  or
4154                     as a server. If verify-peer is enabled (the default) then
4155                     once the handshake is  completed,  the  peer  credentials
4156                     will  be  verified.  With x509 certificates, this implies
4157                     that the clients must be provided with valid client  cer‐
4158                     tificates too.
4159
4160                     The dir parameter tells QEMU where to find the credential
4161                     files.  For server endpoints, this directory may  contain
4162                     a  file dh-params.pem providing diffie-hellman parameters
4163                     to use for the TLS server. If the file is  missing,  QEMU
4164                     will  generate a set of DH parameters at startup. This is
4165                     a computationally expensive operation that consumes  ran‐
4166                     dom  pool entropy, so it is recommended that a persistent
4167                     set of parameters be generated upfront and saved.
4168
4169                     For x509 certificate credentials the directory will  con‐
4170                     tain  further  files providing the x509 certificates. The
4171                     certificates must be stored in PEM format,  in  filenames
4172                     ca-cert.pem, ca-crl.pem (optional), server-cert.pem (only
4173                     servers), server-key.pem (only servers),  client-cert.pem
4174                     (only clients), and client-key.pem (only clients).
4175
4176                     For  the  server-key.pem  and  client-key.pem files which
4177                     contain sensitive private keys, it is possible to use  an
4178                     encrypted  version by providing the passwordid parameter.
4179                     This provides the ID of a previously created  secret  ob‐
4180                     ject containing the password for decryption.
4181
4182                     The  priority parameter allows to override the global de‐
4183                     fault priority used by gnutls. This can be useful if  the
4184                     system  administrator needs to use a weaker set of crypto
4185                     priorities for QEMU without potentially forcing the weak‐
4186                     ness  onto  all  applications. Or conversely if one wants
4187                     wants a stronger default for QEMU than for all other  ap‐
4188                     plications,  they can do this through this parameter. Its
4189                     format is  a  gnutls  priority  string  as  described  at
4190                     https://gnutls.org/manual/html_node/Priority-Strings.html.
4191
4192              -object tls-cipher-suites,id=id,priority=priority
4193                     Creates a TLS cipher suites object, which can be used  to
4194                     control  the TLS cipher/protocol algorithms that applica‐
4195                     tions are permitted to use.
4196
4197                     The id parameter is a unique ID which frontends will  use
4198                     to access the ordered list of permitted TLS cipher suites
4199                     from the host.
4200
4201                     The priority parameter allows to override the global  de‐
4202                     fault  priority used by gnutls. This can be useful if the
4203                     system administrator needs to use a weaker set of  crypto
4204                     priorities for QEMU without potentially forcing the weak‐
4205                     ness onto all applications. Or conversely  if  one  wants
4206                     wants  a stronger default for QEMU than for all other ap‐
4207                     plications, they can do this through this parameter.  Its
4208                     format  is  a  gnutls  priority  string  as  described at
4209                     https://gnutls.org/manual/html_node/Priority-Strings.html.
4210
4211                     An example of use of this object is to control UEFI HTTPS
4212                     Boot.  The tls-cipher-suites object exposes  the  ordered
4213                     list of permitted TLS cipher suites from the host side to
4214                     the guest firmware, via fw_cfg. The list  is  represented
4215                     as an array of IANA_TLS_CIPHER objects. The firmware uses
4216                     the IANA_TLS_CIPHER array for configuring guest-side TLS.
4217
4218                     In the following  example,  the  priority  at  which  the
4219                     host-side  policy  is  retrieved is given by the priority
4220                     property.  Given that QEMU uses GNUTLS,  priority=@SYSTEM
4221                     may    be    used    to    refer   to   /etc/crypto-poli‐
4222                     cies/back-ends/gnutls.config.
4223
4224                        # qemu-system-x86_64 \
4225                            -object tls-cipher-suites,id=mysuite0,priority=@SYSTEM \
4226                            -fw_cfg name=etc/edk2/https/ciphers,gen_id=mysuite0
4227
4228              -object               filter-buffer,id=id,netdev=netdevid,inter‐
4229              val=t[,queue=all|rx|tx][,status=on|off][,posi‐
4230              tion=head|tail|id=<id>][,insert=behind|before]
4231                     Interval t can't be 0, this filter batches the packet de‐
4232                     livery:  all packets arriving in a given interval on net‐
4233                     dev netdevid are delayed until the end of  the  interval.
4234                     Interval  is in microseconds. status is optional that in‐
4235                     dicate whether the netfilter is on (enabled) or off (dis‐
4236                     abled), the default status for netfilter will be 'on'.
4237
4238                     queue  all|rx|tx  is an option that can be applied to any
4239                     netfilter.
4240
4241                     all: the filter is attached both to the receive  and  the
4242                     transmit queue of the netdev (default).
4243
4244                     rx:  the  filter  is attached to the receive queue of the
4245                     netdev, where it will receive packets sent to the netdev.
4246
4247                     tx: the filter is attached to the transmit queue  of  the
4248                     netdev, where it will receive packets sent by the netdev.
4249
4250                     position  head|tail|id=<id> is an option to specify where
4251                     the filter should be inserted in the filter list. It  can
4252                     be applied to any netfilter.
4253
4254                     head:  the  filter  is inserted at the head of the filter
4255                     list, before any existing filters.
4256
4257                     tail: the filter is inserted at the tail  of  the  filter
4258                     list, behind any existing filters (default).
4259
4260                     id=<id>: the filter is inserted before or behind the fil‐
4261                     ter specified by <id>, see the insert option below.
4262
4263                     insert behind|before is an option to specify where to in‐
4264                     sert  the  new  filter relative to the one specified with
4265                     position=id=<id>. It can be applied to any netfilter.
4266
4267                     before: insert before the specified filter.
4268
4269                     behind: insert behind the specified filter (default).
4270
4271              -object       filter-mirror,id=id,netdev=netdevid,outdev=charde‐
4272              vid,queue=all|rx|tx[,vnet_hdr_support][,posi‐
4273              tion=head|tail|id=<id>][,insert=behind|before]
4274                     filter-mirror on netdev  netdevid,mirror  net  packet  to
4275                     chardevchardevid,  if  it  has the vnet_hdr_support flag,
4276                     filter-mirror will mirror packet with vnet_hdr_len.
4277
4278              -object    filter-redirector,id=id,netdev=netdevid,indev=charde‐
4279              vid,outdev=chardevid,queue=all|rx|tx[,vnet_hdr_support][,posi‐
4280              tion=head|tail|id=<id>][,insert=behind|before]
4281                     filter-redirector on  netdev  netdevid,redirect  filter's
4282                     net  packet  to  chardev  chardevid,and  redirect indev's
4283                     packet to filter.if it  has  the  vnet_hdr_support  flag,
4284                     filter-redirector will redirect packet with vnet_hdr_len.
4285                     Create a filter-redirector we need to  differ  outdev  id
4286                     from  indev  id,  id can not be the same. we can just use
4287                     indev or outdev, but at least one of indev or outdev need
4288                     to be specified.
4289
4290              -object                      filter-rewriter,id=id,netdev=netde‐
4291              vid,queue=all|rx|tx,[vnet_hdr_support][,posi‐
4292              tion=head|tail|id=<id>][,insert=behind|before]
4293                     Filter-rewriter is a part of COLO project.It will rewrite
4294                     tcp packet to secondary from primary  to  keep  secondary
4295                     tcp  connection,and  rewrite  tcp  packet to primary from
4296                     secondary make tcp packet can be handled by client.if  it
4297                     has  the  vnet_hdr_support flag, we can parse packet with
4298                     vnet header.
4299
4300                     usage:   colo    secondary:    -object    filter-redirec‐
4301                     tor,id=f1,netdev=hn0,queue=tx,indev=red0   -object   fil‐
4302                     ter-redirector,id=f2,netdev=hn0,queue=rx,outdev=red1 -ob‐
4303                     ject filter-rewriter,id=rew0,netdev=hn0,queue=all
4304
4305              -object                 filter-dump,id=id,netdev=dev[,file=file‐
4306              name][,maxlen=len][,position=head|tail|id=<id>][,insert=be‐
4307              hind|before]
4308                     Dump the network traffic on netdev dev to the file speci‐
4309                     fied by filename. At most len bytes (64k by default)  per
4310                     packet  are stored. The file format is libpcap, so it can
4311                     be analyzed with tools such as tcpdump or Wireshark.
4312
4313              -object             colo-compare,id=id,primary_in=chardevid,sec‐
4314              ondary_in=chardevid,outdev=chardevid,iothread=id[,vnet_hdr_sup‐
4315              port][,notify_dev=id][,compare_timeout=@var{ms}][,ex‐
4316              pired_scan_cycle=@var{ms}][,max_queue_size=@var{size}]
4317                     Colo-compare  gets  packet  from primary_in chardevid and
4318                     secondary_in, then compare whether the payload of primary
4319                     packet  and  secondary  packet  are the same. If same, it
4320                     will output primary packet to out_dev, else it  will  no‐
4321                     tify  COLO-framework  to  do  checkpoint and send primary
4322                     packet to out_dev. In order  to  improve  efficiency,  we
4323                     need  to  put the task of comparison in another iothread.
4324                     If it has the vnet_hdr_support flag,  colo  compare  will
4325                     send/recv      packet     with     vnet_hdr_len.      The
4326                     compare_timeout=@var{ms} determines the maximum  time  of
4327                     the     colo-compare     hold     the     packet.     The
4328                     expired_scan_cycle=@var{ms} is to set the period of scan‐
4329                     ning   expired   primary   node   network  packets.   The
4330                     max_queue_size=@var{size} is to set the max compare queue
4331                     size depend on user environment.  If user want to use Xen
4332                     COLO, need to add the notify_dev to notify Xen colo-frame
4333                     to do checkpoint.
4334
4335                     COLO-compare must be used with the help of filter-mirror,
4336                     filter-redirector and filter-rewriter.
4337
4338                        KVM COLO
4339
4340                        primary:
4341                        -netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown
4342                        -device e1000,id=e0,netdev=hn0,mac=52:a4:00:12:78:66
4343                        -chardev socket,id=mirror0,host=3.3.3.3,port=9003,server=on,wait=off
4344                        -chardev socket,id=compare1,host=3.3.3.3,port=9004,server=on,wait=off
4345                        -chardev socket,id=compare0,host=3.3.3.3,port=9001,server=on,wait=off
4346                        -chardev socket,id=compare0-0,host=3.3.3.3,port=9001
4347                        -chardev socket,id=compare_out,host=3.3.3.3,port=9005,server=on,wait=off
4348                        -chardev socket,id=compare_out0,host=3.3.3.3,port=9005
4349                        -object iothread,id=iothread1
4350                        -object filter-mirror,id=m0,netdev=hn0,queue=tx,outdev=mirror0
4351                        -object filter-redirector,netdev=hn0,id=redire0,queue=rx,indev=compare_out
4352                        -object filter-redirector,netdev=hn0,id=redire1,queue=rx,outdev=compare0
4353                        -object colo-compare,id=comp0,primary_in=compare0-0,secondary_in=compare1,outdev=compare_out0,iothread=iothread1
4354
4355                        secondary:
4356                        -netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,down script=/etc/qemu-ifdown
4357                        -device e1000,netdev=hn0,mac=52:a4:00:12:78:66
4358                        -chardev socket,id=red0,host=3.3.3.3,port=9003
4359                        -chardev socket,id=red1,host=3.3.3.3,port=9004
4360                        -object filter-redirector,id=f1,netdev=hn0,queue=tx,indev=red0
4361                        -object filter-redirector,id=f2,netdev=hn0,queue=rx,outdev=red1
4362
4363
4364                        Xen COLO
4365
4366                        primary:
4367                        -netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown
4368                        -device e1000,id=e0,netdev=hn0,mac=52:a4:00:12:78:66
4369                        -chardev socket,id=mirror0,host=3.3.3.3,port=9003,server=on,wait=off
4370                        -chardev socket,id=compare1,host=3.3.3.3,port=9004,server=on,wait=off
4371                        -chardev socket,id=compare0,host=3.3.3.3,port=9001,server=on,wait=off
4372                        -chardev socket,id=compare0-0,host=3.3.3.3,port=9001
4373                        -chardev socket,id=compare_out,host=3.3.3.3,port=9005,server=on,wait=off
4374                        -chardev socket,id=compare_out0,host=3.3.3.3,port=9005
4375                        -chardev socket,id=notify_way,host=3.3.3.3,port=9009,server=on,wait=off
4376                        -object filter-mirror,id=m0,netdev=hn0,queue=tx,outdev=mirror0
4377                        -object filter-redirector,netdev=hn0,id=redire0,queue=rx,indev=compare_out
4378                        -object filter-redirector,netdev=hn0,id=redire1,queue=rx,outdev=compare0
4379                        -object iothread,id=iothread1
4380                        -object colo-compare,id=comp0,primary_in=compare0-0,secondary_in=compare1,outdev=compare_out0,notify_dev=nofity_way,iothread=iothread1
4381
4382                        secondary:
4383                        -netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,down script=/etc/qemu-ifdown
4384                        -device e1000,netdev=hn0,mac=52:a4:00:12:78:66
4385                        -chardev socket,id=red0,host=3.3.3.3,port=9003
4386                        -chardev socket,id=red1,host=3.3.3.3,port=9004
4387                        -object filter-redirector,id=f1,netdev=hn0,queue=tx,indev=red0
4388                        -object filter-redirector,id=f2,netdev=hn0,queue=rx,outdev=red1
4389
4390                     If you want to know the detail of above command line, you
4391                     can read the colo-compare git log.
4392
4393              -object cryptodev-backend-builtin,id=id[,queues=queues]
4394                     Creates  a cryptodev backend which executes crypto opera‐
4395                     tions from the QEMU cipher APIs. The id  parameter  is  a
4396                     unique  ID  that will be used to reference this cryptodev
4397                     backend from the virtio-crypto device. The queues parame‐
4398                     ter  is optional, which specify the queue number of cryp‐
4399                     todev backend, the default of queues is 1.
4400
4401                        # qemu-system-x86_64 \
4402                          [...] \
4403                              -object cryptodev-backend-builtin,id=cryptodev0 \
4404                              -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \
4405                          [...]
4406
4407              -object               cryptodev-vhost-user,id=id,chardev=charde‐
4408              vid[,queues=queues]
4409                     Creates  a  vhost-user  cryptodev  backend,  backed  by a
4410                     chardev chardevid. The id parameter is a unique  ID  that
4411                     will be used to reference this cryptodev backend from the
4412                     virtio-crypto device. The chardev should be a unix domain
4413                     socket  backed  one.   The vhost-user uses a specifically
4414                     defined protocol to pass vhost ioctl replacement messages
4415                     to  an  application  on  the other end of the socket. The
4416                     queues parameter is optional,  which  specify  the  queue
4417                     number  of  cryptodev  backend for multiqueue vhost-user,
4418                     the default of queues is 1.
4419
4420                        # qemu-system-x86_64 \
4421                          [...] \
4422                              -chardev socket,id=chardev0,path=/path/to/socket \
4423                              -object cryptodev-vhost-user,id=cryptodev0,chardev=chardev0 \
4424                              -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \
4425                          [...]
4426
4427              -object    secret,id=id,data=string,format=raw|base64[,keyid=se‐
4428              cretid,iv=string]
4429
4430
4431              -object  secret,id=id,file=filename,format=raw|base64[,keyid=se‐
4432              cretid,iv=string]
4433                     Defines a secret to store a password, encryption key,  or
4434                     some  other sensitive data. The sensitive data can either
4435                     be passed directly via the data parameter, or  indirectly
4436                     via the file parameter. Using the data parameter is inse‐
4437                     cure unless the sensitive data is encrypted.
4438
4439                     The sensitive data can be provided in raw format (the de‐
4440                     fault),  or  base64. When encoded as JSON, the raw format
4441                     only supports valid UTF-8 characters, so base64 is recom‐
4442                     mended  for  sending  binary data. QEMU will convert from
4443                     which ever format is provided to the format it needs  in‐
4444                     ternally. eg, an RBD password can be provided in raw for‐
4445                     mat, even though it will be base64  encoded  when  passed
4446                     onto the RBD sever.
4447
4448                     For  added protection, it is possible to encrypt the data
4449                     associated with a secret using  the  AES-256-CBC  cipher.
4450                     Use of encryption is indicated by providing the keyid and
4451                     iv parameters. The keyid parameter provides the ID  of  a
4452                     previously  defined  secret that contains the AES-256 de‐
4453                     cryption key. This key should be  32-bytes  long  and  be
4454                     base64 encoded. The iv parameter provides the random ini‐
4455                     tialization vector used for encryption of this particular
4456                     secret  and  should  be  a base64 encrypted string of the
4457                     16-byte IV.
4458
4459                     The simplest (insecure) usage is to  provide  the  secret
4460                     inline
4461
4462                        # qemu-system-x86_64 -object secret,id=sec0,data=letmein,format=raw
4463
4464                     The  simplest secure usage is to provide the secret via a
4465                     file
4466
4467                     # printf "letmein"  >  mypasswd.txt  #  QEMU_SYSTEM_MACRO
4468                     -object secret,id=sec0,file=mypasswd.txt,format=raw
4469
4470                     For  greater security, AES-256-CBC should be used. To il‐
4471                     lustrate usage, consider the openssl  command  line  tool
4472                     which  can  encrypt  the data. Note that when encrypting,
4473                     the plaintext must be padded to the cipher block size (32
4474                     bytes) using the standard PKCS#5/6 compatible padding al‐
4475                     gorithm.
4476
4477                     First a master key needs to be created in  base64  encod‐
4478                     ing:
4479
4480                        # openssl rand -base64 32 > key.b64
4481                        # KEY=$(base64 -d key.b64 | hexdump  -v -e '/1 "%02X"')
4482
4483                     Each  secret  to be encrypted needs to have a random ini‐
4484                     tialization vector generated. These do  not  need  to  be
4485                     kept secret
4486
4487                        # openssl rand -base64 16 > iv.b64
4488                        # IV=$(base64 -d iv.b64 | hexdump  -v -e '/1 "%02X"')
4489
4490                     The  secret  to  be defined can now be encrypted, in this
4491                     case we're telling openssl to base64 encode  the  result,
4492                     but it could be left as raw bytes if desired.
4493
4494                        # SECRET=$(printf "letmein" |
4495                                   openssl enc -aes-256-cbc -a -K $KEY -iv $IV)
4496
4497                     When  launching  QEMU, create a master secret pointing to
4498                     key.b64 and specify that to be used to decrypt  the  user
4499                     password.  Pass  the contents of iv.b64 to the second se‐
4500                     cret
4501
4502                        # qemu-system-x86_64 \
4503                            -object secret,id=secmaster0,format=base64,file=key.b64 \
4504                            -object secret,id=sec0,keyid=secmaster0,format=base64,\
4505                                data=$SECRET,iv=$(<iv.b64)
4506
4507              -object                      sev-guest,id=id,cbitpos=cbitpos,re‐
4508              duced-phys-bits=val,[sev-device=string,policy=policy,handle=han‐
4509              dle,dh-cert-file=file,session-file=file,kernel-hashes=on|off]
4510                     Create a Secure Encrypted Virtualization (SEV) guest  ob‐
4511                     ject,  which  can be used to provide the guest memory en‐
4512                     cryption support on AMD processors.
4513
4514                     When memory encryption is enabled, one  of  the  physical
4515                     address bit (aka the C-bit) is utilized to mark if a mem‐
4516                     ory page is protected. The cbitpos is used to provide the
4517                     C-bit  position. The C-bit position is Host family depen‐
4518                     dent hence user must provide this  value.  On  EPYC,  the
4519                     value should be 47.
4520
4521                     When  memory encryption is enabled, we loose certain bits
4522                     in physical address space. The reduced-phys-bits is  used
4523                     to  provide  the  number of bits we loose in physical ad‐
4524                     dress space.  Similar to C-bit, the value is Host  family
4525                     dependent. On EPYC, a guest will lose a maximum of 1 bit,
4526                     so the value should be 1.
4527
4528                     The sev-device provides the device file to use for commu‐
4529                     nicating  with the SEV firmware running inside AMD Secure
4530                     Processor. The default device is '/dev/sev'. If  hardware
4531                     supports memory encryption then /dev/sev devices are cre‐
4532                     ated by CCP driver.
4533
4534                     The policy provides the guest policy to  be  enforced  by
4535                     the  SEV firmware and restrict what configuration and op‐
4536                     erational commands can be performed on this guest by  the
4537                     hypervisor.  The  policy  should be provided by the guest
4538                     owner and is bound to the guest  and  cannot  be  changed
4539                     throughout the lifetime of the guest. The default is 0.
4540
4541                     If  guest  policy allows sharing the key with another SEV
4542                     guest then handle can be use to  provide  handle  of  the
4543                     guest from which to share the key.
4544
4545                     The  dh-cert-file  and  session-file  provides  the guest
4546                     owner's Public Diffie-Hillman key defined  in  SEV  spec.
4547                     The  PDH and session parameters are used for establishing
4548                     a cryptographic session with the guest owner to negotiate
4549                     keys  used  for  attestation. The file must be encoded in
4550                     base64.
4551
4552                     The kernel-hashes adds the hashes of given kernel/initrd/
4553                     cmdline  to a designated guest firmware page for measured
4554                     Linux boot with -kernel. The default is off. (Since 6.2)
4555
4556                     e.g to launch a SEV guest
4557
4558                        # qemu-system-x86_64 \
4559                            ...... \
4560                            -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=1 \
4561                            -machine ...,memory-encryption=sev0 \
4562                            .....
4563
4564              -object authz-simple,id=id,identity=string
4565                     Create an authorization object that will  control  access
4566                     to network services.
4567
4568                     The  identity  parameter  is  identifies the user and its
4569                     format depends on the network service that  authorization
4570                     object  is  associated with. For authorizing based on TLS
4571                     x509 certificates, the identity must be the x509  distin‐
4572                     guished  name. Note that care must be taken to escape any
4573                     commas in the distinguished name.
4574
4575                     An example authorization object to validate a  x509  dis‐
4576                     tinguished name would look like:
4577
4578                        # qemu-system-x86_64 \
4579                            ... \
4580                            -object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example Org,,L=London,,ST=London,,C=GB' \
4581                            ...
4582
4583                     Note the use of quotes due to the x509 distinguished name
4584                     containing whitespace, and escaping of ','.
4585
4586              -object authz-listfile,id=id,filename=path,refresh=on|off
4587                     Create an authorization object that will  control  access
4588                     to network services.
4589
4590                     The  filename  parameter is the fully qualified path to a
4591                     file containing the access control  list  rules  in  JSON
4592                     format.
4593
4594                     An example set of rules that match against SASL usernames
4595                     might look like:
4596
4597                        {
4598                          "rules": [
4599                             { "match": "fred", "policy": "allow", "format": "exact" },
4600                             { "match": "bob", "policy": "allow", "format": "exact" },
4601                             { "match": "danb", "policy": "deny", "format": "glob" },
4602                             { "match": "dan*", "policy": "allow", "format": "exact" },
4603                          ],
4604                          "policy": "deny"
4605                        }
4606
4607                     When checking access the object will iterate over all the
4608                     rules  and  the  first rule to match will have its policy
4609                     value returned as the result. If no rules match, then the
4610                     default policy value is returned.
4611
4612                     The  rules  can  either be an exact string match, or they
4613                     can use the simple UNIX glob pattern  matching  to  allow
4614                     wildcards to be used.
4615
4616                     If  refresh is set to true the file will be monitored and
4617                     automatically reloaded whenever its content changes.
4618
4619                     As with the authz-simple object, the format of the  iden‐
4620                     tity  strings  being  matched depends on the network ser‐
4621                     vice, but is usually a TLS x509 distinguished name, or  a
4622                     SASL username.
4623
4624                     An  example authorization object to validate a SASL user‐
4625                     name would look like:
4626
4627                        # qemu-system-x86_64 \
4628                            ... \
4629                            -object authz-simple,id=auth0,filename=/etc/qemu/vnc-sasl.acl,refresh=on \
4630                            ...
4631
4632              -object authz-pam,id=id,service=string
4633                     Create an authorization object that will  control  access
4634                     to network services.
4635
4636                     The  service parameter provides the name of a PAM service
4637                     to  use  for  authorization.  It  requires  that  a  file
4638                     /etc/pam.d/service exist to provide the configuration for
4639                     the account subsystem.
4640
4641                     An example authorization object to validate  a  TLS  x509
4642                     distinguished name would look like:
4643
4644                        # qemu-system-x86_64 \
4645                            ... \
4646                            -object authz-pam,id=auth0,service=qemu-vnc \
4647                            ...
4648
4649                     There  would  then be a corresponding config file for PAM
4650                     at /etc/pam.d/qemu-vnc that contains:
4651
4652                        account requisite  pam_listfile.so item=user sense=allow \
4653                                   file=/etc/qemu/vnc.allow
4654
4655                     Finally the /etc/qemu/vnc.allow file  would  contain  the
4656                     list  of  x509 distinguished names that are permitted ac‐
4657                     cess
4658
4659                        CN=laptop.example.com,O=Example Home,L=London,ST=London,C=GB
4660
4661              -object                                                      io‐
4662              thread,id=id,poll-max-ns=poll-max-ns,poll-grow=poll-grow,poll-shrink=poll-shrink,aio-max-batch=aio-max-batch
4663                     Creates a dedicated event loop thread that devices can be
4664                     assigned to. This is known as an IOThread. By default de‐
4665                     vice emulation happens in vCPU threads or the main  event
4666                     loop  thread.   This can become a scalability bottleneck.
4667                     IOThreads allow device emulation and I/O to run on  other
4668                     host CPUs.
4669
4670                     The id parameter is a unique ID that will be used to ref‐
4671                     erence this IOThread from -device ...,iothread=id.   Mul‐
4672                     tiple  devices  can be assigned to an IOThread. Note that
4673                     not all devices support an iothread parameter.
4674
4675                     The query-iothreads QMP command lists IOThreads  and  re‐
4676                     ports  their  thread  IDs  so that the user can configure
4677                     host CPU pinning/affinity.
4678
4679                     IOThreads use an adaptive  polling  algorithm  to  reduce
4680                     event loop latency. Instead of entering a blocking system
4681                     call to monitor file descriptors and then pay the cost of
4682                     being  woken  up  when an event occurs, the polling algo‐
4683                     rithm spins waiting for events for a short time. The  al‐
4684                     gorithm's  default parameters are suitable for many cases
4685                     but can be adjusted based on knowledge  of  the  workload
4686                     and/or host device latency.
4687
4688                     The  poll-max-ns  parameter  is  the  maximum  number  of
4689                     nanoseconds to busy wait for events. Polling can be  dis‐
4690                     abled by setting this value to 0.
4691
4692                     The  poll-grow  parameter  is  the multiplier used to in‐
4693                     crease the polling time when the algorithm detects it  is
4694                     missing events due to not polling long enough.
4695
4696                     The poll-shrink parameter is the divisor used to decrease
4697                     the polling time when the algorithm detects it is  spend‐
4698                     ing too long polling without encountering events.
4699
4700                     The  aio-max-batch parameter is the maximum number of re‐
4701                     quests in a batch for the AIO engine, 0  means  that  the
4702                     engine will use its default.
4703
4704                     The IOThread parameters can be modified at run-time using
4705                     the qom-set command (where iothread1  is  the  IOThread's
4706                     id):
4707
4708                        (qemu) qom-set /objects/iothread1 poll-max-ns 100000
4709
4710       During the graphical emulation, you can use special key combinations to
4711       change modes. The default key mappings are shown below, but if you  use
4712       -alt-grab then the modifier is Ctrl-Alt-Shift (instead of Ctrl-Alt) and
4713       if you use -ctrl-grab then the modifier is the right Ctrl key  (instead
4714       of Ctrl-Alt):
4715
4716       Ctrl-Alt-f
4717              Toggle full screen
4718
4719       Ctrl-Alt-+
4720              Enlarge the screen
4721
4722       Ctrl-Alt--
4723              Shrink the screen
4724
4725       Ctrl-Alt-u
4726              Restore the screen's un-scaled dimensions
4727
4728       Ctrl-Alt-n
4729              Switch to virtual console 'n'. Standard console mappings are:
4730
4731              1      Target system display
4732
4733              2      Monitor
4734
4735              3      Serial port
4736
4737       Ctrl-Alt
4738              Toggle mouse and keyboard grab.
4739
4740       In  the  virtual  consoles, you can use Ctrl-Up, Ctrl-Down, Ctrl-PageUp
4741       and Ctrl-PageDown to move in the back log.
4742
4743       During emulation, if you are  using  a  character  backend  multiplexer
4744       (which  is  the  default if you are using -nographic) then several com‐
4745       mands are available via an escape sequence.  These  key  sequences  all
4746       start  with an escape character, which is Ctrl-a by default, but can be
4747       changed with -echr. The list below assumes you're using the default.
4748
4749       Ctrl-a h
4750              Print this help
4751
4752       Ctrl-a x
4753              Exit emulator
4754
4755       Ctrl-a s
4756              Save disk data back to file (if -snapshot)
4757
4758       Ctrl-a t
4759              Toggle console timestamps
4760
4761       Ctrl-a b
4762              Send break (magic sysrq in Linux)
4763
4764       Ctrl-a c
4765              Rotate between the frontends connected to the multiplexer  (usu‐
4766              ally this switches between the monitor and the console)
4767
4768       Ctrl-a Ctrl-a
4769              Send the escape character to the frontend
4770

NOTES

4772       In  addition  to  using normal file images for the emulated storage de‐
4773       vices, QEMU can also use networked resources  such  as  iSCSI  devices.
4774       These are specified using a special URL syntax.
4775
4776       iSCSI  iSCSI support allows QEMU to access iSCSI resources directly and
4777              use as images for the guest storage. Both disk and cdrom  images
4778              are supported.
4779
4780              Syntax    for    specifying   iSCSI   LUNs   is   "iscsi://<tar‐
4781              get-ip>[:<port>]/<target-iqn>/<lun>"
4782
4783              By   default   qemu   will   use   the   iSCSI    initiator-name
4784              'iqn.2008-11.org.linux-kvm[:<name>]'  but  this  can also be set
4785              from the command line or a configuration file.
4786
4787              Since version QEMU 2.4 it is possible to specify a iSCSI request
4788              timeout  to  detect stalled requests and force a reestablishment
4789              of the session. The timeout is specified in seconds. The default
4790              is  0  which means no timeout. Libiscsi 1.15.0 or greater is re‐
4791              quired for this feature.
4792
4793              Example (without authentication):
4794
4795                 qemu-system-x86_64 -iscsi initiator-name=iqn.2001-04.com.example:my-initiator \
4796                                  -cdrom iscsi://192.0.2.1/iqn.2001-04.com.example/2 \
4797                                  -drive file=iscsi://192.0.2.1/iqn.2001-04.com.example/1
4798
4799              Example (CHAP username/password via URL):
4800
4801                 qemu-system-x86_64 -drive file=iscsi://user%password@192.0.2.1/iqn.2001-04.com.example/1
4802
4803              Example (CHAP username/password via environment variables):
4804
4805                 LIBISCSI_CHAP_USERNAME="user" \
4806                 LIBISCSI_CHAP_PASSWORD="password" \
4807                 qemu-system-x86_64 -drive file=iscsi://192.0.2.1/iqn.2001-04.com.example/1
4808
4809       NBD    QEMU supports NBD (Network Block Devices) both using TCP  proto‐
4810              col  as  well as Unix Domain Sockets. With TCP, the default port
4811              is 10809.
4812
4813              Syntax for specifying a NBD device using TCP, in  preferred  URI
4814              form: "nbd://<server-ip>[:<port>]/[<export>]"
4815
4816              Syntax  for  specifying  a NBD device using Unix Domain Sockets;
4817              remember that '?' is a shell glob character and may  need  quot‐
4818              ing: "nbd+unix:///[<export>]?socket=<domain-socket>"
4819
4820              Older       syntax       that      is      also      recognized:
4821              "nbd:<server-ip>:<port>[:exportname=<export>]"
4822
4823              Syntax for specifying a NBD device  using  Unix  Domain  Sockets
4824              "nbd:unix:<domain-socket>[:exportname=<export>]"
4825
4826              Example for TCP
4827
4828                 qemu-system-x86_64 --drive file=nbd:192.0.2.1:30000
4829
4830              Example for Unix Domain Sockets
4831
4832                 qemu-system-x86_64 --drive file=nbd:unix:/tmp/nbd-socket
4833
4834       SSH    QEMU supports SSH (Secure Shell) access to remote disks.
4835
4836              Examples:
4837
4838                 qemu-system-x86_64 -drive file=ssh://user@host/path/to/disk.img
4839                 qemu-system-x86_64 -drive file.driver=ssh,file.user=user,file.host=host,file.port=22,file.path=/path/to/disk.img
4840
4841              Currently authentication must be done using ssh-agent. Other au‐
4842              thentication methods may be supported in future.
4843
4844       GlusterFS
4845              GlusterFS is a user space distributed file system. QEMU supports
4846              the  use  of  GlusterFS volumes for hosting VM disk images using
4847              TCP, Unix Domain Sockets and RDMA transport protocols.
4848
4849              Syntax for specifying a VM disk image on GlusterFS volume is
4850
4851                 URI:
4852                 gluster[+type]://[host[:port]]/volume/path[?socket=...][,debug=N][,logfile=...]
4853
4854                 JSON:
4855                 'json:{"driver":"qcow2","file":{"driver":"gluster","volume":"testvol","path":"a.img","debug":N,"logfile":"...",
4856                                                  "server":[{"type":"tcp","host":"...","port":"..."},
4857                                                            {"type":"unix","socket":"..."}]}}'
4858
4859              Example
4860
4861                 URI:
4862                 qemu-system-x86_64 --drive file=gluster://192.0.2.1/testvol/a.img,
4863                                                file.debug=9,file.logfile=/var/log/qemu-gluster.log
4864
4865                 JSON:
4866                 qemu-system-x86_64 'json:{"driver":"qcow2",
4867                                           "file":{"driver":"gluster",
4868                                                    "volume":"testvol","path":"a.img",
4869                                                    "debug":9,"logfile":"/var/log/qemu-gluster.log",
4870                                                    "server":[{"type":"tcp","host":"1.2.3.4","port":24007},
4871                                                              {"type":"unix","socket":"/var/run/glusterd.socket"}]}}'
4872                 qemu-system-x86_64 -drive driver=qcow2,file.driver=gluster,file.volume=testvol,file.path=/path/a.img,
4873                                                       file.debug=9,file.logfile=/var/log/qemu-gluster.log,
4874                                                       file.server.0.type=tcp,file.server.0.host=1.2.3.4,file.server.0.port=24007,
4875                                                       file.server.1.type=unix,file.server.1.socket=/var/run/glusterd.socket
4876
4877              See also http://www.gluster.org.
4878
4879       HTTP/HTTPS/FTP/FTPS
4880              QEMU supports read-only access to files  accessed  over  http(s)
4881              and ftp(s).
4882
4883              Syntax using a single filename:
4884
4885                 <protocol>://[<username>[:<password>]@]<host>/<path>
4886
4887              where:
4888
4889              protocol
4890                     'http', 'https', 'ftp', or 'ftps'.
4891
4892              username
4893                     Optional   username  for  authentication  to  the  remote
4894                     server.
4895
4896              password
4897                     Optional  password  for  authentication  to  the   remote
4898                     server.
4899
4900              host   Address of the remote server.
4901
4902              path   Path on the remote server, including any query string.
4903
4904              The following options are also supported:
4905
4906              url    The  full  URL when passing options to the driver explic‐
4907                     itly.
4908
4909              readahead
4910                     The amount of data to read ahead with each range  request
4911                     to  the remote server. This value may optionally have the
4912                     suffix 'T', 'G', 'M', 'K', 'k' or 'b'.  If  it  does  not
4913                     have  a  suffix,  it  will be assumed to be in bytes. The
4914                     value must be a multiple of 512 bytes.   It  defaults  to
4915                     256k.
4916
4917              sslverify
4918                     Whether  to  verify  the remote server's certificate when
4919                     connecting over SSL. It can have the value 'on' or 'off'.
4920                     It defaults to 'on'.
4921
4922              cookie Send  this cookie (it can also be a list of cookies sepa‐
4923                     rated by ';') with each outgoing request. Only  supported
4924                     when  using protocols such as HTTP which support cookies,
4925                     otherwise ignored.
4926
4927              timeout
4928                     Set the timeout in seconds of the CURL  connection.  This
4929                     timeout  is  the time that CURL waits for a response from
4930                     the remote server to get the size  of  the  image  to  be
4931                     downloaded.  If not set, the default timeout of 5 seconds
4932                     is used.
4933
4934              Note that when passing options to qemu explicitly, driver is the
4935              value of <protocol>.
4936
4937              Example: boot from a remote Fedora 20 live ISO image
4938
4939                 qemu-system-x86_64 --drive media=cdrom,file=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Desktop-x86_64-20-1.iso,readonly
4940
4941                 qemu-system-x86_64 --drive media=cdrom,file.driver=http,file.url=http://archives.fedoraproject.org/pub/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Desktop-x86_64-20-1.iso,readonly
4942
4943              Example:  boot from a remote Fedora 20 cloud image using a local
4944              overlay for writes, copy-on-read, and a readahead of 64k
4945
4946                 qemu-img create -f qcow2 -o backing_file='json:{"file.driver":"http",, "file.url":"http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/20/Images/x86_64/Fedora-x86_64-20-20131211.1-sda.qcow2",, "file.readahead":"64k"}' /tmp/Fedora-x86_64-20-20131211.1-sda.qcow2
4947
4948                 qemu-system-x86_64 -drive file=/tmp/Fedora-x86_64-20-20131211.1-sda.qcow2,copy-on-read=on
4949
4950              Example: boot from an image stored on a  VMware  vSphere  server
4951              with a self-signed certificate using a local overlay for writes,
4952              a readahead of 64k and a timeout of 10 seconds.
4953
4954                 qemu-img create -f qcow2 -o backing_file='json:{"file.driver":"https",, "file.url":"https://user:password@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k",, "file.timeout":10}' /tmp/test.qcow2
4955
4956                 qemu-system-x86_64 -drive file=/tmp/test.qcow2
4957

SEE ALSO

4959       The HTML documentation of QEMU for more precise information  and  Linux
4960       user mode emulator invocation.
4961

AUTHOR

4963       Fabrice Bellard
4964
4966       2023, The QEMU Project Developers
4967
4968
4969
4970
49718.1.3                            Nov 28, 2023                          QEMU(1)
Impressum