Emulation and QEMU

Chapter 13: Emulation and QEMU

Introduction

Emulation allows you to run software designed for one architecture on another, or to create virtual machines for testing. QEMU (Quick Emulator) is the most important tool for OS development and system programming. It lets you test bootloaders, kernels, and system software safely without risking hardware damage, and provides powerful debugging capabilities.

Why This Matters

System programming is dangerous. A bug in a bootloader or kernel can brick hardware, corrupt disks, or cause data loss. Emulators provide a safe sandbox for development. QEMU is essential for kernel developers, embedded systems engineers, and anyone working on low-level software. It supports multiple architectures (x86, ARM, RISC-V, etc.) and integrates with debuggers.

How to Study This Chapter

  1. Install QEMU - Get hands-on experience immediately
  2. Start simple - Boot a basic bootloader before complex kernels
  3. Use debugging features - Learn QEMU monitor and GDB integration
  4. Test on multiple architectures - Try x86, x64, and ARM emulation

What is Emulation?

Emulation vs Virtualization

Emulation: Simulates different hardware architecture

  • Software simulates CPU instructions
  • Can run ARM code on x86 host
  • Slower (instruction translation overhead)
  • Example: QEMU in emulation mode

Virtualization: Runs code on same architecture with hardware support

  • Uses CPU virtualization extensions (Intel VT-x, AMD-V)
  • Near-native performance
  • Example: QEMU with KVM, VirtualBox, VMware

Types of Emulators

  1. Full System Emulation: Emulates complete computer (CPU, RAM, devices)
  2. User Mode Emulation: Runs foreign architecture binaries on host OS
  3. Hardware-Assisted Virtualization: Uses CPU extensions for speed

Installing QEMU

Linux (Ubuntu/Debian)

sudo apt-get update
sudo apt-get install qemu-system-x86 qemu-system-arm qemu-utils

macOS

brew install qemu

Windows

Download from qemu.org or use WSL2.

Verify Installation

qemu-system-x86_64 --version

QEMU Basics

Running a Bootable Image

# Create a floppy disk image
dd if=/dev/zero of=floppy.img bs=512 count=2880  # 1.44 MB

# Write bootloader to image
dd if=boot.bin of=floppy.img bs=512 count=1 conv=notrunc

# Boot the image in QEMU
qemu-system-x86_64 -drive file=floppy.img,format=raw,if=floppy

# Alternative: Use as hard disk
qemu-system-x86_64 -drive file=disk.img,format=raw

Common QEMU Options

# Boot from floppy
qemu-system-x86_64 -fda floppy.img

# Boot from hard disk
qemu-system-x86_64 -hda disk.img

# Specify RAM size (default: 128 MB)
qemu-system-x86_64 -m 512M -hda disk.img

# Enable KVM acceleration (Linux only, same architecture)
qemu-system-x86_64 -enable-kvm -hda disk.img

# Boot from CD-ROM
qemu-system-x86_64 -cdrom os.iso

# No graphical window (serial console only)
qemu-system-x86_64 -nographic -hda disk.img

# Serial output to stdio
qemu-system-x86_64 -serial stdio -hda disk.img

Multiple Devices

# Multiple disks
qemu-system-x86_64 \
    -drive file=disk1.img,format=raw \
    -drive file=disk2.img,format=raw

# Network card
qemu-system-x86_64 -netdev user,id=net0 -device e1000,netdev=net0

# USB device
qemu-system-x86_64 -usb -device usb-mouse

QEMU Monitor

The QEMU monitor is a powerful interactive console for controlling the virtual machine.

Accessing the Monitor

Press Ctrl-Alt-2 to switch to monitor (Ctrl-Alt-1 returns to VM).

Or start QEMU with monitor on stdio:

qemu-system-x86_64 -monitor stdio -hda disk.img

Or use telnet:

qemu-system-x86_64 -monitor telnet:127.0.0.1:55555,server,nowait -hda disk.img

# In another terminal:
telnet 127.0.0.1 55555

Common Monitor Commands

# Get help
(qemu) help

# Show CPU registers
(qemu) info registers

# Show memory mappings
(qemu) info mem

# Show TLB contents
(qemu) info tlb

# Examine physical memory (10 hex words at address 0x7c00)
(qemu) xp /10x 0x7c00

# Examine virtual memory
(qemu) x /10x 0x7c00

# Display disassembly
(qemu) x /10i 0x7c00

# Show PCI devices
(qemu) info pci

# Show block devices
(qemu) info block

# Take screenshot
(qemu) screendump screen.ppm

# Pause VM
(qemu) stop

# Resume VM
(qemu) cont

# Reset VM
(qemu) system_reset

# Quit QEMU
(qemu) quit

# Save VM state
(qemu) savevm snapshot1

# Load VM state
(qemu) loadvm snapshot1

# Change removable media
(qemu) change floppy0 newdisk.img

Memory Inspection

# Examine memory at bootloader location
(qemu) xp /128x 0x7c00

# Check if boot signature is present
(qemu) xp /2hx 0x7dfe
# Should output: 0x7dfe: 0x55aa

# Examine GDT
(qemu) x /16x gdt_address

# Look at stack
(qemu) xp /32x $esp

Debugging with QEMU and GDB

QEMU can act as a GDB remote debugging target.

Basic GDB Debugging

Terminal 1: Start QEMU with GDB server

qemu-system-x86_64 -s -S -drive file=disk.img,format=raw

# -s : Shorthand for -gdb tcp::1234 (start GDB server on port 1234)
# -S : Freeze CPU at startup (wait for GDB)

Terminal 2: Connect GDB

gdb
(gdb) target remote localhost:1234
(gdb) set architecture i386:x86-64
(gdb) break *0x7c00               # Breakpoint at bootloader
(gdb) continue                     # Start execution

GDB Commands for System Programming

# Set breakpoint at address
(gdb) break *0x7c00

# Show registers
(gdb) info registers

# Show all registers (including segment registers)
(gdb) info all-registers

# Examine memory (hex)
(gdb) x/32xb 0x7c00

# Examine as instructions
(gdb) x/10i 0x7c00

# Disassemble
(gdb) disassemble 0x7c00,+64

# Step one instruction
(gdb) stepi
(gdb) si

# Step one instruction (step over calls)
(gdb) nexti
(gdb) ni

# Continue execution
(gdb) continue
(gdb) c

# Layout with assembly
(gdb) layout asm

# Layout with registers
(gdb) layout regs

# Watch memory location
(gdb) watch *0x7c00

# Set value in register
(gdb) set $eax = 0x42

# Write to memory
(gdb) set {int}0x7c00 = 0x12345678

Debugging Protected Mode Transition

# Connect GDB
(gdb) target remote :1234

# Set breakpoint before switching to protected mode
(gdb) break *0x7c00
(gdb) continue

# Step through instructions
(gdb) si

# Watch CR0 register (when bit 0 set, protected mode enabled)
(gdb) watch $cr0

# After protected mode enabled, change architecture
(gdb) set architecture i386:x86-64
(gdb) continue

Creating GDB Script

debug.gdb:

# Connect to QEMU
target remote localhost:1234

# Set architecture
set architecture i386:x86-64

# Add symbols if you have them
# symbol-file kernel.elf

# Set breakpoints
break *0x7c00
break *0x1000

# Define custom commands
define hook-stop
    info registers
    x/10i $pc
end

# Start execution
continue

Run with: gdb -x debug.gdb

QEMU Disk Images

Creating Disk Images

# Create raw disk image (1 GB)
qemu-img create -f raw disk.img 1G

# Create qcow2 image (more efficient, supports snapshots)
qemu-img create -f qcow2 disk.qcow2 10G

# Convert raw to qcow2
qemu-img convert -f raw -O qcow2 disk.img disk.qcow2

# Get info about image
qemu-img info disk.qcow2

Mounting Disk Images (Linux)

# Mount raw image with loopback
sudo losetup /dev/loop0 disk.img
sudo mount /dev/loop0 /mnt

# Or use offset for partitions
sudo mount -o loop,offset=1048576 disk.img /mnt

# Unmount
sudo umount /mnt
sudo losetup -d /dev/loop0

Partitioning Disk Images

# Create partition table
fdisk disk.img

# Or use parted
parted disk.img mklabel msdos
parted disk.img mkpart primary ext4 1MiB 100%

Creating a Complete Development Environment

Makefile for Building and Testing

# Makefile for bootloader and kernel development

ASM = nasm
CC = gcc
LD = ld

BOOT_SRC = boot.asm
KERNEL_SRC = kernel.c
BOOT_BIN = boot.bin
KERNEL_BIN = kernel.bin
DISK_IMG = os.img

all: $(DISK_IMG)

# Assemble bootloader
$(BOOT_BIN): $(BOOT_SRC)
	$(ASM) -f bin -o $@ $<

# Compile kernel
kernel.o: $(KERNEL_SRC)
	$(CC) -m32 -ffreestanding -fno-pie -c -o $@ $<

# Link kernel
$(KERNEL_BIN): kernel.o
	$(LD) -m elf_i386 -T linker.ld -o $@ $<
	objcopy -O binary $@ $@

# Create disk image
$(DISK_IMG): $(BOOT_BIN) $(KERNEL_BIN)
	dd if=/dev/zero of=$@ bs=512 count=2880
	dd if=$(BOOT_BIN) of=$@ bs=512 count=1 conv=notrunc
	dd if=$(KERNEL_BIN) of=$@ bs=512 seek=1 conv=notrunc

# Run in QEMU
run: $(DISK_IMG)
	qemu-system-x86_64 -drive file=$(DISK_IMG),format=raw

# Debug with GDB
debug: $(DISK_IMG)
	qemu-system-x86_64 -s -S -drive file=$(DISK_IMG),format=raw &
	gdb -ex "target remote :1234" \
	    -ex "break *0x7c00" \
	    -ex "continue"

# Clean build artifacts
clean:
	rm -f *.o *.bin $(DISK_IMG)

.PHONY: all run debug clean

Usage:

make           # Build disk image
make run       # Build and run in QEMU
make debug     # Build and debug with GDB
make clean     # Clean build files

ARM Emulation

QEMU supports various ARM machines.

Available ARM Machines

# List available ARM machines
qemu-system-arm -machine help

# Common machines:
# - versatilepb: ARM Versatile Platform Baseboard
# - vexpress-a9: ARM Versatile Express Cortex-A9
# - raspi2: Raspberry Pi 2
# - raspi3: Raspberry Pi 3

Running ARM Code

# Compile for ARM
arm-none-eabi-gcc -mcpu=arm926ej-s -c -o boot.o boot.s
arm-none-eabi-ld -T linker.ld -o kernel.elf boot.o
arm-none-eabi-objcopy -O binary kernel.elf kernel.bin

# Run in QEMU
qemu-system-arm -M versatilepb -m 128M -kernel kernel.bin -serial stdio

# Debug with GDB
qemu-system-arm -M versatilepb -kernel kernel.bin -s -S
arm-none-eabi-gdb kernel.elf
(gdb) target remote :1234

Simple ARM Boot Code

/* boot.s - ARM bootloader */
.section .text
.global _start

_start:
    /* Set up stack */
    ldr sp, =stack_top

    /* Call main function */
    bl main

    /* Halt */
hang:
    b hang

.section .bss
.align 4
stack_bottom:
    .space 4096
stack_top:

Advanced QEMU Features

Serial Port Communication

In your bootloader/kernel:

// Write to COM1 serial port (x86)
void serial_putchar(char c) {
    while (!(inb(0x3F8 + 5) & 0x20));  // Wait for transmit buffer empty
    outb(0x3F8, c);                     // Write character
}

void serial_puts(const char *str) {
    while (*str) {
        serial_putchar(*str++);
    }
}

Run QEMU with serial output:

qemu-system-x86_64 -serial stdio -hda disk.img

Logging

# Enable debug logging
qemu-system-x86_64 -d int,cpu_reset -hda disk.img

# Log to file
qemu-system-x86_64 -d int -D qemu.log -hda disk.img

# Available debug categories (see qemu-system-x86_64 -d help):
# - int: Interrupts
# - cpu_reset: CPU resets
# - guest_errors: Guest errors
# - mmu: MMU operations
# - pcall: x86 only: protected mode far calls
# - unimp: Unimplemented functionality

Snapshots

# Create snapshot
(qemu) savevm snapshot1

# List snapshots
(qemu) info snapshots

# Load snapshot
(qemu) loadvm snapshot1

# Delete snapshot
(qemu) delvm snapshot1

Networking

# User mode networking (no root required)
qemu-system-x86_64 -netdev user,id=net0 -device e1000,netdev=net0

# Tap networking (requires root)
sudo qemu-system-x86_64 -netdev tap,id=net0 -device e1000,netdev=net0

# Dump network traffic
qemu-system-x86_64 -netdev user,id=net0 -device e1000,netdev=net0 \
    -object filter-dump,id=f1,netdev=net0,file=network.pcap

Troubleshooting

Common Issues

Problem: Bootloader doesn't run

# Check boot signature
hexdump -C boot.bin | tail
# Should see: ... 55 aa

# Verify size
ls -l boot.bin
# Should be 512 bytes

Problem: Kernel not loaded

# Check disk image
qemu-system-x86_64 -monitor stdio -hda disk.img
(qemu) xp /512x 0x1000
# Should see kernel code

Problem: GDB won't connect

# Ensure QEMU is listening
netstat -an | grep 1234

# Try explicit port in GDB
(gdb) target remote localhost:1234

Problem: Wrong architecture

# Verify image architecture
file boot.bin
# Should show: DOS/MBR boot sector

# Use correct QEMU binary
qemu-system-x86_64  # For x64
qemu-system-arm     # For ARM

Testing Checklist

# 1. Test bootloader loads
qemu-system-x86_64 -drive file=disk.img,format=raw

# 2. Test serial output
qemu-system-x86_64 -serial stdio -drive file=disk.img,format=raw

# 3. Inspect bootloader in memory
qemu-system-x86_64 -monitor stdio -drive file=disk.img,format=raw
(qemu) xp /128x 0x7c00

# 4. Debug with GDB
qemu-system-x86_64 -s -S -drive file=disk.img,format=raw &
gdb -ex "target remote :1234"

# 5. Check registers after boot
(qemu) info registers

# 6. Verify kernel loaded
(qemu) xp /256x 0x1000

Key Concepts

  • QEMU emulates complete computer systems
  • Emulation simulates foreign architectures, slower than virtualization
  • QEMU Monitor provides introspection and control
  • GDB integration enables source-level debugging
  • Serial output simplifies debugging (no video driver needed)
  • Disk images can be raw or qcow2 format
  • Multiple architectures supported (x86, ARM, RISC-V, etc.)
  • Snapshots save and restore VM state

Common Mistakes

  1. Wrong architecture binary - Using qemu-system-arm for x86 code
  2. Missing boot signature - Forgetting 0x55AA
  3. Not using -S flag - VM starts before GDB connects
  4. Wrong memory inspection - Use xp for physical, x for virtual
  5. Ignoring serial output - Easier than video for early debugging
  6. Not saving work - Use snapshots during long tests
  7. Testing on hardware first - Always use QEMU first!

Debugging Tips

  • Start with serial output - Easier than video
  • Use QEMU monitor - Inspect memory and registers
  • Enable debug logging - -d int,cpu_reset
  • Use GDB breakpoints - Stop at specific addresses
  • Check boot signature - Most common bootloader error
  • Verify disk reads - Use monitor to check loaded data
  • Test incrementally - Small changes, frequent testing
  • Read QEMU docs - Extensive documentation available

Mini Exercises

  1. Boot a simple bootloader in QEMU
  2. Use QEMU monitor to examine bootloader memory
  3. Set up GDB debugging for bootloader
  4. Create Makefile that builds and runs in QEMU
  5. Use serial port to print debug messages
  6. Create a QEMU snapshot and restore it
  7. Log interrupts to file using -d int
  8. Run an ARM bootloader in QEMU
  9. Use GDB to step through protected mode transition
  10. Create multi-stage bootloader and test in QEMU

Review Questions

  1. What's the difference between emulation and virtualization?
  2. What QEMU option enables GDB debugging?
  3. How do you access the QEMU monitor?
  4. What command shows CPU registers in QEMU monitor?
  5. How do you enable serial output in QEMU?

Reference Checklist

By the end of this chapter, you should be able to:

  • Install and run QEMU
  • Boot disk images in QEMU
  • Use QEMU monitor to inspect memory and registers
  • Debug bootloaders and kernels with GDB
  • Create and manage disk images
  • Use serial port for debugging output
  • Test code on multiple architectures
  • Create automated build and test workflows
  • Enable debug logging
  • Use snapshots for testing

Next Steps

With QEMU as your development environment, you're ready to build a kernel. The next chapter covers kernel fundamentals: what a kernel does, kernel architecture, interrupt handling, and the basics of kernel development.

Key Takeaway: QEMU is an indispensable tool for system programming. It provides a safe, debuggable environment for developing and testing bootloaders, kernels, and low-level software across multiple architectures.

PreviousNext Chapter