QEMU网络策略
在进行IOT固件模拟的过程中,我们需要进行poc的验证需要能够启动系统级的qemu模拟,这时候需要将固件文件系统传到qemu虚拟机中,我们需要通过qemu网络通信的方法去串通本机和qemu虚拟机。本文介绍配置qemu虚拟机网络的方法和原理,如果对此内容不感兴趣可以直接跳至简化配置中,copy命令即可。
qemu的网络通信方法
user mode stack
用户协议栈方式,这种方式相当于在qemu进程中实现一个协议栈,这个协议栈被视为一个主机与虚拟机之间的NAT服务器,负责将qemu所模拟的系统网络请求转发到外部网卡上,从而实现网络通信,但是不能将外面的请求转发至虚拟机内部,并且虚拟机vlan中的各个接口需要放在10.0.2.0子网中。
socket
为vlan创建套接字,并且将多个vlan连接起来。
TAP/bridger
桥接接口是一种虚拟网络接口,由一个或多个以太网接口组合而成,每个接口可以是物理网卡或用于VPN隧道的虚拟TAP接口,最重要的一种通信方式,我们想要实现 QEMU 虚拟机和外部通信就需要使用这种方式。
TAP 属于 LInux 内核支持的一种虚拟化网络设备,还有 TUN 也属于这种设备,它们完全由软件模拟实现,TUN/TAP 负责在内核协议栈和用户进程之间传送协议数据单元。TUN 工作在网络层,而 TAP 工作在数据链路层,TUN 负责与应用程序交换 IP 数据包,而 TAP 与应用程序交换以太网帧。所以 TUN 经常涉及路由,而 TAP 常用于网络桥接。
桥接可以简单理解为在两张网卡之间搭一座桥,一端有数据就可以通过桥走到另一端,对于实现 QEMU 虚拟机通信正合适。桥接技术在 VMWARE 中非常常用,我们设置虚拟机网络的时候就能看见桥接选项,实际上 VMware 在物理机上虚拟化了 3 张网卡,分别负责桥接、仅主机、共享网络。
VDE
也是用于连接 VLAN 的,如果没有 VLAN 连接需求基本用不到。
配置
具体配置过程
配置网桥
首先确定机器支持TAP/TUN虚拟设备
然后安装软件:
sudo apt-get install bridge-utils # 虚拟网桥工具
sudo apt-get install uml-utilities # UML(User-mode linux)工具之后添加网桥,其中大部分的操作我们需要给管理员权限。
ifconfig <你的网卡名称(能上网的那张)> down # 首先关闭宿主机网卡接口
brctl addbr br0 # 添加名为 br0 的网桥
brctl addif br0 <你的网卡名称> # 在 br0 中添加一个接口
brctl stp br0 off # 如果只有一个网桥,则关闭生成树协议
brctl setfd br0 1 # 设置 br0 的转发延迟
brctl sethello br0 1 # 设置 br0 的 hello 时间
ifconfig br0 0.0.0.0 promisc up # 启用 br0 接口
ifconfig <你的网卡名称> 0.0.0.0 promisc up # 启用网卡接口
dhclient br0 # 从 dhcp 服务器获得 br0 的 IP 地址
brctl show br0 # 查看虚拟网桥列表
brctl showstp br0 # 查看 br0 的各接口信息我虚拟机的网卡是ens33,所以上面为:
sudo ifconfig ens33 down # 首先关闭宿主机网卡接口
sudo brctl addbr br0 # 添加名为 br0 的网桥
sudo brctl addif br0 ens33 # 在 br0 中添加一个接口
sudo brctl stp br0 off # 如果只有一个网桥,则关闭生成树协议
sudo brctl setfd br0 1 # 设置 br0 的转发延迟
sudo brctl sethello br0 1 # 设置 br0 的 hello 时间
sudo ifconfig br0 0.0.0.0 promisc up # 启用 br0 接口
sudo ifconfig ens33 0.0.0.0 promisc up # 启用网卡接口
sudo dhclient br0 # 从 dhcp 服务器获得 br0 的 IP 地址
sudo brctl show br0 # 查看虚拟网桥列表
sudo brctl showstp br0 # 查看 br0 的各接口信息
sudo ifconfig ens33 up配置完的反馈信息:
$ sudo brctl showstp br0 # 查看 br0 的各接口信息
br0
bridge id 8000.000c290a23e9
designated root 8000.000c290a23e9
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 1.00 bridge hello time 1.00
forward delay 1.00 bridge forward delay 1.00
ageing time 300.00
hello timer 0.00 tcn timer 0.00
topology change timer 0.00 gc timer 298.03
flags
ens33 (1)
port id 8001 state forwarding
designated root 8000.000c290a23e9 path cost 4
designated bridge 8000.000c290a23e9 message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
~$ ifconfig
br0 Link encap:Ethernet HWaddr 00:0c:29:0a:23:e9
inet addr:192.168.236.128 Bcast:192.168.236.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:33 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2726 (2.7 KB) TX bytes:2959 (2.9 KB)
ens33 Link encap:Ethernet HWaddr 00:0c:29:0a:23:e9
inet6 addr: fe80::1607:4664:f945:6a9d/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:57193 errors:0 dropped:0 overruns:0 frame:0
TX packets:125456 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11005548 (11.0 MB) TX bytes:156424747 (156.4 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:378 errors:0 dropped:0 overruns:0 frame:0
TX packets:378 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:36623 (36.6 KB) TX bytes:36623 (36.6 KB)此时说明网桥已经得到了IP,并且能够连接网络的网卡ens33也加入了网桥。
创建TAP设备
创建一个 TAP 设备,作为 QEMU 一端的接口:
sudo tunctl -t tap0 -u root # 创建一个 tap0 接口,只允许 root 用户访问
sudo brctl addif br0 tap0 # 在虚拟网桥中增加一个 tap0 接口
sudo ifconfig tap0 0.0.0.0 promisc up # 启用 tap0 接口
sudo brctl showstp br0 # 显示 br0 的各个接口反馈信息:
$ sudo brctl showstp br0 # 显示 br0 的各个接口
br0
bridge id 8000.000c290a23e9
designated root 8000.000c290a23e9
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 1.00 bridge hello time 1.00
forward delay 1.00 bridge forward delay 1.00
ageing time 300.00
hello timer 0.00 tcn timer 0.00
topology change timer 0.00 gc timer 106.67
flags
ens33 (1)
port id 8001 state forwarding
designated root 8000.000c290a23e9 path cost 4
designated bridge 8000.000c290a23e9 message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
tap0 (2)
port id 8002 state disabled
designated root 8000.000c290a23e9 path cost 100
designated bridge 8000.000c290a23e9 message age timer 0.00
designated port 8002 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags此时网卡和tap设备之间的关系就像下图:
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-VqT8vLlk-1635247909224)(qemu%E7%BD%91%E7%BB%9C%E9%85%8D%E7%BD%AE.assets/image-20211024151539820.png)]
之后边只需要启动镜像并且指定网络连接模式是TAP即可。
准备虚拟机映像
可以前往https://people.debian.org/~aurel32/qemu/下载mips需要的系统映像。
######## mipsel ##########
Both images are 25GiB images in QCOW2 format on which a Debian Squeeze or
Wheezy "Standard system" installation has been performed. The other
installation options are the following:
- Keyboard: US
- Locale: en_US
- Mirror: ftp.debian.org
- Hostname: debian-mipsel
- Root password: root
- User account: user
- User password: user
####### mips ###########
Both images are 25GiB images in QCOW2 format on which a Debian Squeeze or
Wheezy "Standard system" installation has been performed. The other
installation options are the following:
- Keyboard: US
- Locale: en_US
- Mirror: ftp.debian.org
- Hostname: debian-mips
- Root password: root
- User account: user
- User password: userqemu-system-mipsel
完成上述网卡配置之后只需要启动镜像即可,并且指定网络连接模式是TAP:
sudo qemu-system-mipsel -M malta -kernel vmlinux-3.2.0-4-4kc-malta -hda debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -nographic -net nic -net tap,ifname=tap0,script=no,downscript=nosudo qemu-system-mipsel -M malta -kernel /mnt/hgfs/attachments/mips-system/mipsel/vmlinux-3.2.0-4-4kc-malta -hda /mnt/hgfs/attachments/mips-system/mipsel/debian_squeeze_mipsel_standard.qcow2 -append "root=/dev/sda1 console=tty0" -nographic -net nic -net tap,ifname=tap0,script=no,downscript=no快捷内容:
-M malta | 指定要仿真的开发板:malta |
-kernel | 要运行的镜像 |
-hda | 指定硬盘镜像 |
-append cmdline | 设置Linux内核命令行、启动参数 |
-net nic | 为虚拟机网卡(默认为tap0),表示希望 QEMU 在虚拟机中创建一张虚拟网卡 |
-net tap | 系统分配tap设备(默认为tap0)表示连接类型为 TAP,并且指定了网卡接口名称(就是刚才创建的 tap0,相当于把虚拟机接入网桥) |
-net nic -net tap | 将虚拟机的网卡eth0连接真机里的tap0 |
-nographic | 非图形化启动,使用串口作为控制台 |
script 和 downscript 两个选项的作用是告诉 QEMU 在启动系统的时候是否调用脚本自动配置网络环境,如果这两个选项为空,那么 QEMU 启动和退出时会自动选择第一个不存在的 tap 接口(通常是 tap0)为参数,调用脚本 /etc/qemu-ifup 和 /etc/qemu-ifdown。由于我们已经配置完毕,所以这两个参数设置为 no 即可。
此外qemu-system-mipsel的全部命令帮助如下:
qemu-system-mipsel -help
QEMU emulator version 2.5.0 (Debian 1:2.5+dfsg-5ubuntu10.51), Copyright (c) 2003-2008 Fabrice Bellard
usage: qemu-system-mipsel [options] [disk_image]
'disk_image' is a raw hard disk image for IDE hard disk 0
Standard options:
-h or -help display this help and exit
-version display version information and exit
-machine [type=]name[,prop[=value][,...]]
selects emulated machine ('-machine help' for list)
property accel=accel1[:accel2[:...]] selects accelerator
supported accelerators are kvm, xen, tcg (default: tcg)
kernel_irqchip=on|off controls accelerated irqchip support
vmport=on|off|auto controls emulation of vmport (default: auto)
kvm_shadow_mem=size of KVM shadow MMU
dump-guest-core=on|off include guest memory in a core dump (default=on)
mem-merge=on|off controls memory merge support (default: on)
iommu=on|off controls emulated Intel IOMMU (VT-d) support (default=off)
igd-passthru=on|off controls IGD GFX passthrough support (default=off)
aes-key-wrap=on|off controls support for AES key wrapping (default=on)
dea-key-wrap=on|off controls support for DEA key wrapping (default=on)
suppress-vmdesc=on|off disables self-describing migration (default=off)
-cpu cpu select CPU ('-cpu help' for list)
-smp [cpus=]n[,maxcpus=cpus][,cores=cores][,threads=threads][,sockets=sockets]
set the number of CPUs to 'n' [default=1]
maxcpus= maximum number of total cpus, including
offline CPUs for hotplug, etc
cores= number of CPU cores on one socket
threads= number of threads on one CPU core
sockets= number of discrete sockets in the system
-numa node[,mem=size][,cpus=cpu[-cpu]][,nodeid=node]
-numa node[,memdev=id][,cpus=cpu[-cpu]][,nodeid=node]
-add-fd fd=fd,set=set[,opaque=opaque]
Add 'fd' to fd 'set'
-set group.id.arg=value
set <arg> parameter for item <id> of type <group>
i.e. -set drive.$id.file=/path/to/image
-global driver.property=value
-global driver=driver,property=property,value=value
set a global default for a driver property
-boot [order=drives][,once=drives][,menu=on|off]
[,splash=sp_name][,splash-time=sp_time][,reboot-timeout=rb_time][,strict=on|off]
'drives': floppy (a), hard disk (c), CD-ROM (d), network (n)
'sp_name': the file's name that would be passed to bios as logo picture, if menu=on
'sp_time': the period that splash picture last if menu=on, unit is ms
'rb_timeout': the timeout before guest reboot when boot failed, unit is ms
-m[emory] [size=]megs[,slots=n,maxmem=size]
configure guest RAM
size: initial amount of guest memory
slots: number of hotplug slots (default: none)
maxmem: maximum amount of guest memory (default: none)
NOTE: Some architectures might enforce a specific granularity
-mem-path FILE provide backing storage for guest RAM
-mem-prealloc preallocate guest memory (use with -mem-path)
-k language use keyboard layout (for example 'fr' for French)
-audio-help print list of audio drivers and their options
-soundhw c1,... enable audio support
and only specified sound cards (comma separated list)
use '-soundhw help' to get the list of supported cards
use '-soundhw all' to enable all of them
-balloon none disable balloon device
-balloon virtio[,addr=str]
enable virtio balloon device (default)
-device driver[,prop[=value][,...]]
add device (based on driver)
prop=value,... sets driver properties
use '-device help' to print all possible drivers
use '-device driver,help' to print all possible properties
-name string1[,process=string2][,debug-threads=on|off]
set the name of the guest
string1 sets the window title and string2 the process name (on Linux)
When debug-threads is enabled, individual threads are given a separate name (on Linux)
NOTE: The thread names are for debugging and not a stable API.
-uuid %08x-%04x-%04x-%04x-%012x
specify machine UUID
Block device options:
-fda/-fdb file use 'file' as floppy disk 0/1 image
-hda/-hdb file use 'file' as IDE hard disk 0/1 image
-hdc/-hdd file use 'file' as IDE hard disk 2/3 image
-cdrom file use 'file' as IDE cdrom image (cdrom is ide1 master)
-drive [file=file][,if=type][,bus=n][,unit=m][,media=d][,index=i]
[,cyls=c,heads=h,secs=s[,trans=t]][,snapshot=on|off]
[,cache=writethrough|writeback|none|directsync|unsafe][,format=f]
[,serial=s][,addr=A][,rerror=ignore|stop|report]
[,werror=ignore|stop|report|enospc][,id=name][,aio=threads|native]
[,readonly=on|off][,copy-on-read=on|off]
[,discard=ignore|unmap][,detect-zeroes=on|off|unmap]
[[,bps=b]|[[,bps_rd=r][,bps_wr=w]]]
[[,iops=i]|[[,iops_rd=r][,iops_wr=w]]]
[[,bps_max=bm]|[[,bps_rd_max=rm][,bps_wr_max=wm]]]
[[,iops_max=im]|[[,iops_rd_max=irm][,iops_wr_max=iwm]]]
[[,iops_size=is]]
[[,group=g]]
use 'file' as a drive image
-mtdblock file use 'file' as on-board Flash memory image
-sd file use 'file' as SecureDigital card image
-pflash file use 'file' as a parallel flash image
-snapshot write to temporary files instead of disk image files
-hdachs c,h,s[,t]
force hard disk 0 physical geometry and the optional BIOS
translation (t=none or lba) (usually QEMU can guess them)
-fsdev fsdriver,id=id[,path=path,][security_model={mapped-xattr|mapped-file|passthrough|none}]
[,writeout=immediate][,readonly][,socket=socket|sock_fd=sock_fd]
-virtfs local,path=path,mount_tag=tag,security_model=[mapped-xattr|mapped-file|passthrough|none]
[,writeout=immediate][,readonly][,socket=socket|sock_fd=sock_fd]
-virtfs_synth Create synthetic file system image
USB options:
-usb enable the USB driver (will be the default soon)
-usbdevice name add the host or guest USB device 'name'
Display options:
-display sdl[,frame=on|off][,alt_grab=on|off][,ctrl_grab=on|off]
[,window_close=on|off]|curses|none|
gtk[,grab_on_hover=on|off]|
vnc=<display>[,<optargs>]
select display type
-nographic disable graphical output and redirect serial I/Os to console
-curses use a curses/ncurses interface instead of SDL
-no-frame open SDL window without a frame and window decorations
-alt-grab use Ctrl-Alt-Shift to grab mouse (instead of Ctrl-Alt)
-ctrl-grab use Right-Ctrl to grab mouse (instead of Ctrl-Alt)
-no-quit disable SDL window close capability
-sdl enable SDL
-spice [port=port][,tls-port=secured-port][,x509-dir=<dir>]
[,x509-key-file=<file>][,x509-key-password=<file>]
[,x509-cert-file=<file>][,x509-cacert-file=<file>]
[,x509-dh-key-file=<file>][,addr=addr][,ipv4|ipv6|unix]
[,tls-ciphers=<list>]
[,tls-channel=[main|display|cursor|inputs|record|playback]]
[,plaintext-channel=[main|display|cursor|inputs|record|playback]]
[,sasl][,password=<secret>][,disable-ticketing]
[,image-compression=[auto_glz|auto_lz|quic|glz|lz|off]]
[,jpeg-wan-compression=[auto|never|always]]
[,zlib-glz-wan-compression=[auto|never|always]]
[,streaming-video=[off|all|filter]][,disable-copy-paste]
[,disable-agent-file-xfer][,agent-mouse=[on|off]]
[,playback-compression=[on|off]][,seamless-migration=[on|off]]
enable spice
at least one of {port, tls-port} is mandatory
-portrait rotate graphical output 90 deg left (only PXA LCD)
-rotate <deg> rotate graphical output some deg left (only PXA LCD)
-vga [std|cirrus|vmware|qxl|xenfb|tcx|cg3|virtio|none]
select video card type
-full-screen start in full screen
-vnc display start a VNC server on display
Network options:
-netdev user,id=str[,net=addr[/mask]][,host=addr][,restrict=on|off]
[,hostname=host][,dhcpstart=addr][,dns=addr][,dnssearch=domain][,tftp=dir]
[,bootfile=f][,hostfwd=rule][,guestfwd=rule][,smb=dir[,smbserver=addr]]
configure a user mode network backend with ID 'str',
its DHCP server and optional services
-netdev tap,id=str[,fd=h][,fds=x:y:...:z][,ifname=name][,script=file][,downscript=dfile]
[,helper=helper][,sndbuf=nbytes][,vnet_hdr=on|off][,vhost=on|off]
[,vhostfd=h][,vhostfds=x:y:...:z][,vhostforce=on|off][,queues=n]
configure a host TAP network backend with ID 'str'
use network scripts 'file' (default=/etc/qemu-ifup)
to configure it and 'dfile' (default=/etc/qemu-ifdown)
to deconfigure it
use '[down]script=no' to disable script execution
use network helper 'helper' (default=/usr/lib/qemu/qemu-bridge-helper) to
configure it
use 'fd=h' to connect to an already opened TAP interface
use 'fds=x:y:...:z' to connect to already opened multiqueue capable TAP interfaces
use 'sndbuf=nbytes' to limit the size of the send buffer (the
default is disabled 'sndbuf=0' to enable flow control set 'sndbuf=1048576')
use vnet_hdr=off to avoid enabling the IFF_VNET_HDR tap flag
use vnet_hdr=on to make the lack of IFF_VNET_HDR support an error condition
use vhost=on to enable experimental in kernel accelerator
(only has effect for virtio guests which use MSIX)
use vhostforce=on to force vhost on for non-MSIX virtio guests
use 'vhostfd=h' to connect to an already opened vhost net device
use 'vhostfds=x:y:...:z to connect to multiple already opened vhost net devices
use 'queues=n' to specify the number of queues to be created for multiqueue TAP
-netdev bridge,id=str[,br=bridge][,helper=helper]
configure a host TAP network backend with ID 'str' that is
connected to a bridge (default=br0)
using the program 'helper (default=/usr/lib/qemu/qemu-bridge-helper)
-netdev l2tpv3,id=str,src=srcaddr,dst=dstaddr[,srcport=srcport][,dstport=dstport]
[,rxsession=rxsession],txsession=txsession[,ipv6=on/off][,udp=on/off]
[,cookie64=on/off][,counter][,pincounter][,txcookie=txcookie]
[,rxcookie=rxcookie][,offset=offset]
configure a network backend with ID 'str' connected to
an Ethernet over L2TPv3 pseudowire.
Linux kernel 3.3+ as well as most routers can talk
L2TPv3. This transport allows connecting a VM to a VM,
VM to a router and even VM to Host. It is a nearly-universal
standard (RFC3391). Note - this implementation uses static
pre-configured tunnels (same as the Linux kernel).
use 'src=' to specify source address
use 'dst=' to specify destination address
use 'udp=on' to specify udp encapsulation
use 'srcport=' to specify source udp port
use 'dstport=' to specify destination udp port
use 'ipv6=on' to force v6
L2TPv3 uses cookies to prevent misconfiguration as
well as a weak security measure
use 'rxcookie=0x012345678' to specify a rxcookie
use 'txcookie=0x012345678' to specify a txcookie
use 'cookie64=on' to set cookie size to 64 bit, otherwise 32
use 'counter=off' to force a 'cut-down' L2TPv3 with no counter
use 'pincounter=on' to work around broken counter handling in peer
use 'offset=X' to add an extra offset between header and data
-netdev socket,id=str[,fd=h][,listen=[host]:port][,connect=host:port]
configure a network backend to connect to another network
using a socket connection
-netdev socket,id=str[,fd=h][,mcast=maddr:port[,localaddr=addr]]
configure a network backend to connect to a multicast maddr and port
use 'localaddr=addr' to specify the host address to send packets from
-netdev socket,id=str[,fd=h][,udp=host:port][,localaddr=host:port]
configure a network backend to connect to another network
using an UDP tunnel
-netdev vhost-user,id=str,chardev=dev[,vhostforce=on|off]
configure a vhost-user network, backed by a chardev 'dev'
-netdev hubport,id=str,hubid=n
configure a hub port on QEMU VLAN 'n'
-net nic[,vlan=n][,macaddr=mac][,model=type][,name=str][,addr=str][,vectors=v]
old way to create a new NIC and connect it to VLAN 'n'
(use the '-device devtype,netdev=str' option if possible instead)
-net dump[,vlan=n][,file=f][,len=n]
dump traffic on vlan 'n' to file 'f' (max n bytes per packet)
-net none use it alone to have zero network devices. If no -net option
is provided, the default is '-net nic -net user'
-net [user|tap|bridge|socket][,vlan=n][,option][,option][,...]
old way to initialize a host network interface
(use the -netdev option if possible instead)
Character device options:
-chardev null,id=id[,mux=on|off]
-chardev socket,id=id[,host=host],port=port[,to=to][,ipv4][,ipv6][,nodelay][,reconnect=seconds]
[,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off] (tcp)
-chardev socket,id=id,path=path[,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off] (unix)
-chardev udp,id=id[,host=host],port=port[,localaddr=localaddr]
[,localport=localport][,ipv4][,ipv6][,mux=on|off]
-chardev msmouse,id=id[,mux=on|off]
-chardev vc,id=id[[,width=width][,height=height]][[,cols=cols][,rows=rows]]
[,mux=on|off]
-chardev ringbuf,id=id[,size=size]
-chardev file,id=id,path=path[,mux=on|off]
-chardev pipe,id=id,path=path[,mux=on|off]
-chardev pty,id=id[,mux=on|off]
-chardev stdio,id=id[,mux=on|off][,signal=on|off]
-chardev braille,id=id[,mux=on|off]
-chardev serial,id=id,path=path[,mux=on|off]
-chardev tty,id=id,path=path[,mux=on|off]
-chardev parallel,id=id,path=path[,mux=on|off]
-chardev parport,id=id,path=path[,mux=on|off]
-chardev spicevmc,id=id,name=name[,debug=debug]
-chardev spiceport,id=id,name=name[,debug=debug]
Device URL Syntax:
-iscsi [user=user][,password=password]
[,header-digest=CRC32C|CR32C-NONE|NONE-CRC32C|NONE
[,initiator-name=initiator-iqn][,id=target-iqn]
[,timeout=timeout]
iSCSI session parameters
Bluetooth(R) options:
-bt hci,null dumb bluetooth HCI - doesn't respond to commands
-bt hci,host[:id]
use host's HCI with the given name
-bt hci[,vlan=n]
emulate a standard HCI in virtual scatternet 'n'
-bt vhci[,vlan=n]
add host computer to virtual scatternet 'n' using VHCI
-bt device:dev[,vlan=n]
emulate a bluetooth device 'dev' in scatternet 'n'
TPM device options:
-tpmdev passthrough,id=id[,path=path][,cancel-path=path]
use path to provide path to a character device; default is /dev/tpm0
use cancel-path to provide path to TPM's cancel sysfs entry; if
not provided it will be searched for in /sys/class/misc/tpm?/device
Linux/Multiboot boot specific:
-kernel bzImage use 'bzImage' as kernel image
-append cmdline use 'cmdline' as kernel command line
-initrd file use 'file' as initial ram disk
-dtb file use 'file' as device tree image
Debug/Expert options:
-fw_cfg [name=]<name>,file=<file>
add named fw_cfg entry from file
-fw_cfg [name=]<name>,string=<str>
add named fw_cfg entry from string
-serial dev redirect the serial port to char device 'dev'
-parallel dev redirect the parallel port to char device 'dev'
-monitor dev redirect the monitor to char device 'dev'
-qmp dev like -monitor but opens in 'control' mode
-qmp-pretty dev like -qmp but uses pretty JSON formatting
-mon [chardev=]name[,mode=readline|control][,default]
-debugcon dev redirect the debug console to char device 'dev'
-pidfile file write PID to 'file'
-singlestep always run in singlestep mode
-S freeze CPU at startup (use 'c' to start execution)
-realtime [mlock=on|off]
run qemu with realtime features
mlock=on|off controls mlock support (default: on)
-gdb dev wait for gdb connection on 'dev'
-s shorthand for -gdb tcp::1234
-d item1,... enable logging of specified items (use '-d help' for a list of log items)
-D logfile output log to logfile (default stderr)
-L path set the directory for the BIOS, VGA BIOS and keymaps
-bios file set the filename for the BIOS
-enable-kvm enable KVM full virtualization support
-xen-domid id specify xen guest domain id
-xen-create create domain using xen hypercalls, bypassing xend
warning: should not be used when xend is in use
-xen-attach attach to existing xen domain
xend will use this when starting QEMU
-no-reboot exit instead of rebooting
-no-shutdown stop before shutdown
-loadvm [tag|id]
start right away with a saved state (loadvm in monitor)
-daemonize daemonize QEMU after initializing
-option-rom rom load a file, rom, into the option ROM space
-rtc [base=utc|localtime|date][,clock=host|rt|vm][,driftfix=none|slew]
set the RTC base and clock, enable drift fix for clock ticks (x86 only)
-icount [shift=N|auto][,align=on|off][,sleep=no,rr=record|replay,rrfile=<filename>]
enable virtual instruction counter with 2^N clock ticks per
instruction, enable aligning the host and virtual clocks
or disable real time cpu sleeping
-watchdog model
enable virtual hardware watchdog [default=none]
-watchdog-action reset|shutdown|poweroff|pause|debug|none
action when watchdog fires [default=reset]
-echr chr set terminal escape character instead of ctrl-a
-virtioconsole c
set virtio console
-show-cursor show cursor
-tb-size n set TB size
-incoming tcp:[host]:port[,to=maxport][,ipv4][,ipv6]
-incoming rdma:host:port[,ipv4][,ipv6]
-incoming unix:socketpath
prepare for incoming migration, listen on
specified protocol and socket address
-incoming fd:fd
-incoming exec:cmdline
accept incoming migration on given file descriptor
or from given external command
-incoming defer
wait for the URI to be specified via migrate_incoming
-nodefaults don't create default devices
-chroot dir chroot to dir just before starting the VM
-runas user change to user id user just before starting the VM
-semihosting semihosting mode
-semihosting-config [enable=on|off][,target=native|gdb|auto][,arg=str[,...]]
semihosting configuration
-sandbox <arg> Enable seccomp mode 2 system call filter (default 'off').
-readconfig <file>
-writeconfig <file>
read/write config file
-nodefconfig
do not load default config files at startup
-no-user-config
do not load user-provided config files at startup
-trace [events=<file>][,file=<file>]
specify tracing options
-enable-fips enable FIPS 140-2 compliance
-msg timestamp[=on|off]
change the format of messages
on|off controls leading timestamps (default:on)
-dump-vmstate <file>
Output vmstate information in JSON format to file.
Use the scripts/vmstate-static-checker.py file to
check for possible regressions in migration code
by comparing two such vmstate dumps.
Generic object creation
-object TYPENAME[,PROP1=VALUE1,...]
create a new object of type TYPENAME setting properties
in the order they are specified. Note that the 'id'
property must be set. These objects are placed in the
'/objects' path.
During emulation, the following keys are useful:
ctrl-alt-f toggle full screen
ctrl-alt-n switch to virtual console 'n'
ctrl-alt toggle mouse and keyboard grab简化配置
从简只需要进行一把梭这个命令即可,但是无法与外部连接上网,但是其实也没必要能和外部上网,能够和本机通讯既可以满足我们的需求。
(可以把192.168.236换成本机的对于内容,不清楚怎么配尾部照抄即可)
sudo apt-get install bridge-utils
sudo apt-get install uml-utilities # UML(User-mode linux)工具
sudo brctl addbr Virbr0
sudo ifconfig Virbr0 192.168.236.1/24 up
sudo tunctl -t tap0
sudo ifconfig tap0 192.168.236.126/24 up
sudo brctl addif Virbr0 tap0
#qemu内
ifconfig eth0 192.168.236.2/24 up测试qemu桥接
Debian GNU/Linux 6.0 debian-mipsel ttyS0
debian-mipsel login: root
Password:
Linux debian-mipsel 3.2.0-4-4kc-malta #1 Debian 3.2.51-1 mips
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@debian-mipsel:~# ping 192.168.236.128
PING 192.168.236.128 (192.168.236.128) 56(84) bytes of data.
64 bytes from 192.168.236.128: icmp_req=1 ttl=64 time=6.80 ms
64 bytes from 192.168.236.128: icmp_req=2 ttl=64 time=1.82 ms
^Z
[1]+ Stopped ping 192.168.236.128传输文件系统
scp -r /mnt/hgfs/attachments/0day-learning/_dir645_FW_103.bin
.extracted/squashfs-root/ root@192.168.236.2:~/
#qemu
mount -o bind /dev ./squashfs-root/dev
mount -t proc /proc ./squashfs-root/proc/
chroot ./squashfs-root/ sh如果可以正常传输,那么我们网络配置的目的就达到了。
参考文章:
https://wzt.ac.cn/2021/05/28/QEMU-networking/
https://shadow-file.blogspot.com/2013/05/running-debian-mips-linux-in-qemu.html
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
