qemu

基于QEMU进⾏arm仿真开发（以vexpress-a9为例）

背景

基于QEMU的仿真可以节省硬件成本。

参考：、

我们在这⼀讲主要以搭建仿真环境为主。

host平台 ：Ubuntu16.04

qemu3.0.0

arm-linux-gcc:v7.4.120181213[linaro-7.4-2019.02revision56ec6f6b99cc167ff0c2f8e1a2eed33b1edc85d4]

QEMU介绍

Qemu是纯软件实现的虚拟化模拟器，⼏乎可以模拟任何硬件设备，我们最熟悉的就是能够模拟⼀台能够独⽴运⾏操作系统的虚拟机，虚拟

机认为⾃⼰和硬件打交道，但其实是和Qemu模拟出来的硬件打交道，Qemu将这些指令转译给真正的硬件。

正因为Qemu是纯软件实现的，所有的指令都要经Qemu过⼀⼿，性能⾮常低，所以，在⽣产环境中，⼤多数的做法都是配合KVM来完

成虚拟化⼯作，因为KVM是硬件辅助的虚拟化技术，主要负责⽐较繁琐的CPU和内存虚拟化，⽽Qemu则负责I/O虚拟化，两者合作

各⾃发挥⾃⾝的优势，相得益彰。

QEMU同时也是⼀个⾮常简单的虚拟机，给它⼀个硬盘镜像就可以启动⼀个虚拟机，如果想定制这个虚拟机的配置，⽐如⽤什么样的CPU

啊、什么样的显卡啊、什么样的⽹络配置啊，指定相应的命令⾏参数就可以了。它⽀持许多格式的磁盘镜像，包括VirtualBox创建的磁盘

镜像⽂件。它同时也提供⼀个创建和管理磁盘镜像的⼯具qemu-img。QEMU及其⼯具所使⽤的命令⾏参数，直接查看其⽂档即可。

QEMU安装

由于包管理器中的qemu太⽼了，所以我们采取基于源码的安装。

在此之前，需要先准备好有关的环境

sudoapt-getinstallbuild-essentialpkg-configzlib1g-devlibglib2.0-0libglib2.0-devlibsdl1.2-devlibpixman-1-devlibfdt-devautoconfautomakelibtoollibrbd-devlib

下载有关的源码

wget/2

编译有关的源码

cdqemu-3.0.0

./configure--prefix=/usr/local/qemu--target-list=arm-softmmu--audio-drv-list=

sudomake&&sudomakeinstall

sudoln-s/usr/local/qemu/bin/*/usr/local/bin/

#--target-list：选择⽬标机器的架构。默认是将所有的架构都编译，但为了更快的完成编译，指定需要的架构即可。

测试

qemu-img-V

qemu-imgversion3.0.0

Copyright(c)2003-2017FabriceBellardandtheQEMUProjectdevelopers

查看QEMU⽀持的板⼦

$qemu-system-arm-Mhelp

Supportedmachinesare:

akitaSharpSL-C1000(Akita)PDA(PXA270)

ast2500-evbAspeedAST2500EVB(ARM1176)

borzoiSharpSL-C3100(Borzoi)PDA(PXA270)

canon-a1100CanonPowerShotA1100IS

cheetahPalmTungsten|hPDA(OMAP310)

collieSharpSL-5500(Collie)PDA(SA-1110)

connexGumstixConnex(PXA255)

cubieboardcubietechcubieboard

emcraft-sf2SmartFusion2SOMkitfromEmcraft(M2S010)

highbankCalxedaHighbank(ECX-1000)

25PDKboard(ARM926)

integratorcpARMIntegrator/CP(ARM926EJ-S)

kzmARMKZMEmulationBaseboard(ARM1136)

lm3s6965evbStellarisLM3S6965EVB

lm3s811evbStellarisLM3S811EVB

mainstoneMainstoneII(PXA27x)

7DUALSABRE(CortexA7)

midwayCalxedaMidway(ECX-2000)

mps2-an385ARMMPS2withAN385FPGAimageforCortex-M3

mps2-an505ARMMPS2withAN505FPGAimageforCortex-M33

mps2-an511ARMMPS2withAN511DesignStartFPGAimageforCortex-M3

musicpalMarvell88w8618/MusicPal(ARM926EJ-S)

-34(OMAP2420)

-44(OMAP2420)

netduino2Netduino2Machine

noneemptymachine

nuriSamsungNURIboard(Exynos4210)

palmetto-bmcOpenPOWERPalmettoBMC(ARM926EJ-S)

raspi2RaspberryPi2

realview-ebARMRealViewEmulationBaseboard(ARM926EJ-S)

realview-eb-mpcoreARMRealViewEmulationBaseboard(ARM11MPCore)

realview-pb-a8ARMRealViewPlatformBaseboardforCortex-A8

realview-pbx-a9ARMRealViewPlatformBaseboardExploreforCortex-A9

romulus-bmcOpenPOWERRomulusBMC(ARM1176)

6QuadSABRELiteBoard(CortexA9)

smdkc210SamsungSMDKC210board(Exynos4210)

spitzSharpSL-C3000(Spitz)PDA(PXA270)

sx1SiemensSX1(OMAP310)V2

sx1-v1SiemensSX1(OMAP310)V1

terrierSharpSL-C3200(Terrier)PDA(PXA270)

tosaSharpSL-6000(Tosa)PDA(PXA255)

verdexGumstixVerdex(PXA270)

versatileabARMVersatile/AB(ARM926EJ-S)

versatilepbARMVersatile/PB(ARM926EJ-S)

vexpress-a15ARMVersatileExpressforCortex-A15

vexpress-a9ARMVersatileExpressforCortex-A9

virt-2.10QEMU2.10ARMVirtualMachine

virt-2.11QEMU2.11ARMVirtualMachine

virt-2.12QEMU2.12ARMVirtualMachine

virt-2.6QEMU2.6ARMVirtualMachine

virt-2.7QEMU2.7ARMVirtualMachine

virt-2.8QEMU2.8ARMVirtualMachine

virt-2.9QEMU2.9ARMVirtualMachine

virtQEMU3.0ARMVirtualMachine(aliasofvirt-3.0)

virt-3.0QEMU3.0ARMVirtualMachine

witherspoon-bmcOpenPOWERWitherspoonBMC(ARM1176)

xilinx-zynq-a9XilinxZynqPlatformBaseboardforCortex-A9

z2ZipitZ2(PXA27x)

仿真⽂件的准备

仿真很简单，只需要类似这样的：

qemu-system-arm-Mvexpress-a9

-m512M

-kernel./uImage

-dtb./

-nographic

-append"console=ttyAMA0"

或者是这样的

qemu-system-arm-Mvexpress-a9-m512M-kernelarch/arm/boot/zImage-dtbarch/arm/boot/dts/-nographic-append"console=ttyAMA0"

其中，有关参数的解释如下：

-Mvexpress-a9模拟vexpress-a9单板，你能够使⽤-M?參数来获取该qemu版本号⽀持的全部单板

-m512M单板执⾏物理内存512M

-kernelarch/arm/boot/zImage告诉qemu单板执⾏内核镜像路径

-dtbarch/arm/boot/dts/告诉qemu单板的设备树（必须加⼊）

-nographic不使⽤图形化界⾯，仅仅使⽤串⼝

-append"console=ttyAMA0"内核启动參数。这⾥告诉内核vexpress单板执⾏。串⼝设备是哪个tty。

我们唯⼀缺少的就是有关的启动⽂件，查阅有关资料才发现，QEMU的仿真需要有编译好以后的⽂件，因为根据QEMU的原理来看，

需要⼆进制⽂件。

QEMU是⼀个主机上的VMM（virtualmachinemonitor）,通过动态⼆进制转换来模拟CPU，并提供⼀系列的硬件模型，使guest

os认为⾃⼰和硬件直接打交道，其实是同QEMU模拟出来的硬件打交道，QEMU再将这些指令翻译给真正硬件进⾏操作。通过这种模

式，guestos可以和主机上的硬盘，⽹卡，CPU，CD-ROM，⾳频设备和USB设备进⾏交互。

编译有关的Uboot、kernel、⽂件系统

安装有关环境：sudoapt-getinstallflexbisonflex-y

编译uboot并仿真

编译

gitclonegit:///

cdu-boot

exportARCH=arm

exportCROSS_COMPILE=arm-linux-gnueabihf-

makeclean&&makevexpress_ca9x4_defconfig

make-j4

仿真

qemu-system-arm-Mvexpress-a9-m256-kernelu-boot-nographic

结果

因为下载实在是太慢了，我使⽤了⼀个之前下载好的早期uboot版本。

U-Boot2018.01(Feb222020-17:34:52+0800)

DRAM:256MiB

WARNING:Cachesnotenabled

Flash:128MiB

MMC:MMC:0

***Warning-badCRC,usingdefaultenvironment

In:serial

Out:serial

Err:serial

Net:smc911x-0

Hitanykeytostopautoboot:0

MMCDevice1notfound

nommcdeviceatslot1

Carddidnotrespondtovoltageselect!

mmc_init:-95,time23

smc911x:MAC52:54:00:12:34:56

smc911x:detectedLAN9118controller

smc911x:phyinitialized

smc911x:MAC52:54:00:12:34:56

BOOTPbroadcast1

DHCPclientboundtoaddress10.0.2.15(3ms)

***Warning:nobootfilename;using''

Usingsmc911x-0device

TFTPfromserver10.0.2.2;ourIPaddressis10.0.2.15

...

输⼊ctrl+A后按X退出QEMU

编译kernel并仿真

编译

#gitclonegit:///pub/scm/linux/kernel/git/stable/nel&&cdkernel

wget/linux-kernel/v4.x/&&&&cdlinux-4.14.14

exportARCH=arm

exportCROSS_COMPILE=arm-linux-gnueabi-

makeclean

makevexpress_defconfig

makemenuconfig

#在配置中找到并去掉EnabletheL2x0outercachecontroller取消，会导致仿真失败起不来

#SystemType->EnabletheL2x0outercachecontroller，或搜索CACHE_L2X0

make-j8

#schips@ubuntuin~/arm/sc/linux-4.1.11[18:19:19]

$make-j4

HOSTCCscripts/kallsyms

Infileincludedfrominclude/linux/compiler.h:54:0,

frominclude/uapi/linux/stddef.h:1,

frominclude/linux/stddef.h:4,

from./include/uapi/linux/posix_types.h:4,

frominclude/uapi/linux/types.h:13,

frominclude/linux/types.h:5,

frominclude/linux/mod_devicetable.h:11,

fromscripts/mod/devicetable-offsets.c:2:

include/linux/compiler-gcc.h:121:1:fatalerror:linux/compiler-gcc7.h:Nosuchfileordirectory

#includegcc_header(__GNUC__)

如果遇到上⾯的情况，就说明是⼯具链太新了，要么换旧的⼯具链来匹配这个低版本的内核；要么就再找⼀个⾼版本的内核

仿真

qemu-system-arm-Mvexpress-a9-m512M-kernelarch/arm/boot/zImage-dtbarch/arm/boot/dts/-nographic-append"console=ttyAMA0"

#指定设备树，否则会失败

结果

不出意外的话会在⽂件系统那⾥停下来。

BootingLinuxonphysicalCPU0x0

Linuxversion4.14.14(schips@ubuntu)(gccversion7.4.120181213[linaro-7.4-2019.02revision56ec6f6b99cc167ff0c2f8e1a2eed33b1edc85d4](LinaroGCC7.

CPU:ARMv7Processor[410fc090]revision0(ARMv7),cr=10c5387d

CPU:PIPT/VIPTnonaliasingdatacache,VIPTnonaliasinginstructioncache

OF:fdt:Machinemodel:V2P-CA9

Memorypolicy:Datacachewriteback

CPU:AllCPU(s)startedinSVCmode.

percpu:Embedded16pages/cpu@9fbae000s36428r8192d20916u65536

Built1zonelists,ages:130048

Kernelcommandline:console=ttyAMA0

log_buf_lenindividualmaxcpucontribution:4096bytes

log_buf_lentotalcpu_extracontributions:12288bytes

log_buf_lenminsize:16384bytes

log_buf_len:32768bytes

earlylogbuffree:14964(91%)

PIDhashtableentries:2048(order:1,8192bytes)

Dentrycachehashtableentries:65536(order:6,262144bytes)

Inode-cachehashtableentries:32768(order:5,131072bytes)

Memory:509556K/524288Kavailable(6144Kkernelcode,402Krwdata,1364Krodata,1024Kinit,169Kbss,14732Kreserved,0Kcma-reserved)

Virtualkernelmemorylayout:

vector:0xffff0000-0xffff1000(4kB)

fixmap:0xffc00000-0xfff00000(3072kB)

vmalloc:0xa0800000-0xff800000(1520MB)

lowmem:0x80000000-0xa0000000(512MB)

modules:0x7f000000-0x80000000(16MB)

.text:0x80008000-0x80700000(7136kB)

.init:0x80900000-0x80a00000(1024kB)

.data:0x80a00000-0x80a649b8(403kB)

.bss:0x80a6bd30-0x80a964b4(170kB)

SLUB:HWalign=64,Order=0-3,MinObjects=0,CPUs=4,Nodes=1

HierarchicalRCUimplementation.

RCUeventtracingisenabled.

RCUrestrictingCPUsfromNR_CPUS=8tonr_cpu_ids=4.

RCU:Adjustinggeometryforrcu_fanout_leaf=16,nr_cpu_ids=4

NR_IRQS:16,nr_irqs:16,preallocatedirqs:16

GICCPUmasknotfound-kernelwillfailtoboot.

...(省略很多⾏)

input:ImExPS/2GenericExplorerMouseas/devices/platform/smb@4000000/smb@4000000:motherboard/smb@4000000:motherboard:iofpga@7,00000000/10

VFS:Cannotopenrootdevice"(null)"orunknown-block(0,0):error-6

Pleaseappendacorrect"root="bootoption;herearetheavailablepartitions:

1f00131072mtdblock0

(driver?)

1f0132768mtdblock1

(driver?)

Kernelpanic-notsyncing:VFS:Unabletomountrootfsonunknown-block(0,0)

CPU:0PID:1Comm:swapper/0Nottainted4.14.14#1

Hardwarename:ARM-VersatileExpress

[<8010faac>](unwind_backtrace)from[<8010bdd4>](show_stack+0x10/0x14)

[<8010bdd4>](show_stack)from[<8065a728>](dump_stack+0x88/0x9c)

[<8065a728>](dump_stack)from[<8011db88>](panic+0xdc/0x248)

[<8011db88>](panic)from[<809012b0>](mount_block_root+0x1d4/0x2a8)

[<809012b0>](mount_block_root)from[<809014a4>](mount_root+0x120/0x128)

[<809014a4>](mount_root)from[<809015fc>](prepare_namespace+0x150/0x194)

[<809015fc>](prepare_namespace)from[<80900eb4>](kernel_init_freeable+0x248/0x258)

[<80900eb4>](kernel_init_freeable)from[<8066d548>](kernel_init+0x8/0x108)

[<8066d548>](kernel_init)from[<80107968>](ret_from_fork+0x14/0x2c)

---[endKernelpanic-notsyncing:VFS:Unabletomountrootfsonunknown-block(0,0)

基于busybox制作rootfs，并让kernel带有rootfs仿真

编译以及制作

gitclonegit:///&&cdbusybox

exportARCH=arm

exportCROSS_COMPILE=arm-linux-gnueabi-

makedefconfig

makemenuconfig

#勾选BusyboxSetting->BuildOptions->[*]Buildstaticbinary(nosharedlibs)或者搜索CONFIG_STATIC

make-j4

makeinstall

制作

###CopyrightBySchips,AllRightsReserved

#/schips/

#FileName:make_

#Created:Sat22Feb202009:39:26PMCST

###!/bin/sh

base=`pwd`

tmpfs=/_tmpfs

sudorm-rfrootfs

sudorm-rf${tmpfs}

3

sudomkdirrootfs

sudocp_install/*rootfs/-raf

#sudomkdir-prootfs/{lib,proc,sys,tmp,root,var,mnt}

cdrootfs&&sudomkdir-plibprocsystmprootvarmnt&&cd${base}

#根据⾃⼰的实际情况,找到并拷贝arm-gcc中的libc中的所有.so库

sudocp-arf/usr/cross/gcc-linaro-7.4.1-2019.02-i686_arm-linux-gnueabi/arm-linux-gnueabi/libc/lib/*so*rootfs/lib

sudocpapprootfs

sudocpexamples/bootfloppy/etcrootfs/-arf

sudosed-r"/askfirst/s/.*/::respawn:-binsh/"rootfs/etc/inittab-i

sudomkdir-prootfs/dev/

sudomknodrootfs/dev/tty1c41

sudomknodrootfs/dev/tty2c42pro

sudomknodrootfs/dev/tty3c43

sudomknodrootfs/dev/tty4c44

sudomknodrootfs/dev/consolec51

sudomknodrootfs/dev/nullc13

sudoddif=/dev/zeroof=3bs=1Mcount=64

#如果提⽰"Nospaceleftondevice"证明dd命令中count的⼤⼩不够

3

sudomkdir-p${tmpfs}

sudochmod777${tmpfs}

3${tmpfs}/-oloop

sudocp-rrootfs/*${tmpfs}/

sudoumount${tmpfs}

仿真

qemu-system-arm-Mvexpress-a9-m512M-kernelarch/arm/boot/zImage-dtbarch/arm/boot/dts/-nographic-append"root=/dev/m

#同样地，只要是仿真kernle就需要指定设备树

结果（节选）

usbhid:USBHIDcoredriver

mmcblk0:mmc0:4567QEMU!32.0MiB

:ARMAC'97InterfacePL041rev0at0x10004000,irq33

:FIFO512entries

oprofile:usingarm/armv7-ca9

NET:Registeredprotocolfamily17

9pnet:Installing9P2000support

RegisteringSWP/SWPBemulationhandler

:settingsystemclockto2020-02-2214:26:16UTC(1582381576)

ALSAdevicelist:

#0:ARMAC'97InterfacePL041rev0at0x10004000,irq33

input:ImExPS/2GenericExplorerMouseas/devices/platform/smb@4000000/smb@4000000:motherboard/smb@4000000:motherboard:iofpga@7,00000000/10

EXT4-fs(mmcblk0):mountingext3filesystemusingtheext4subsystem

EXT4-fs(mmcblk0)::(null)

VFS:Mountedroot(ext3filesystem)ondevice179:0.

Freeingunusedkernelmemory:1024K

random:crnginitdone

Processing/etc/profile...Done

/#ls

binlibmntsbinusr

devlinuxrcprocsysvar

etclost+foundroottmp

由于篇幅有限，我们在下⼀讲介绍更加⾼级的：《qemu运⾏uboot，在仿真中动态加载内核与⽂件系统》