QEMU 10 improves RISC-V machines and brings accelerated Apple graphics

Contents

The QEMU developers (Quick-EMUlator) have released version 10.0.0 of their free virtualization software. It contains a total of over 2800 changes from 211 developers. QEMU is an open-source project under the GPL2 license, apart from parts such as the Tiny Code Generator (TCG), which is mostly under the BSD or MIT license. A look at the list of new features and improvements shows changes in the emulation of the various architectures, especially for RISC-V and ARM, but also (still) a surprising amount for HPPA and LoongArch.

Further major progress with RISC-V

The QEMU emulation for RISC-V, the open-source instruction set architecture (ISA, Instruction Set Architecture) under the free BSD license, has received some important enhancements. QEMU 10 now supports the ISA extensions ssstateen, smrnmi, smdbltrp/ssdbltrp, supm/sspm and svukte. The latter, for example, is intended to prevent attacks that attempt to find out the address space layout of the supervisor software and use it for exploits. A riscv-iommu-sys device is new, and a translation tag for the IOMMU page table cache is intended to ensure greater speed in emulation.

The emulations for Tenstorrent-Ascalon CPUs (1 to 8 cores), which focus on data centers and AI, and the RV64-XiangShan-NANHU-CPU (1 to 2 cores), which are designed to run at up to 2.8 GHz in 7 nm, have been added. QEMU 10 now also emulates AMD's RISC-V Microblaze V, the softcore microprocessor for Xilinx FPGAs.

Somewhat surprisingly, the RISC-V-default-machine is no longer supported. QEMU previously defined “spike” as the default machine, unless a machine option was specified in the command line. This was because “spike” was the first RISC-V machine implemented in QEMU. There are now several emulated RISC-V machines, and so the developers want to force the user to specify the exact machine type. The “spike” machine still exists, of course. Anyone who has not previously specified a machine and therefore used the “default machine” (spike) must explicitly add the -M spike parameter at startup from QEMU 10 onwards.

Caution with ARM and FEAT_PAUTH

The emulation of FEAT_AUTH no longer uses the QARMA5 algorithm provided by the ARM/LLVM architecture for pointer authentication by default, but QEMU's own algorithm because this is “significantly” faster and is supposedly exactly what users want. This is therefore intended for users who do not care whether the pointers in their code have been manipulated or not. Pointers are signed via pointer authentication. A cryptographic hash including additional data (pepper & salt) is stored for this purpose. Before this pointer is used again, it must be authenticated by verifying its signature. This prevents pointers of unknown origin from being used to replace the signed pointer. If you want to use a secure ARM environment, you must therefore explicitly activate the QARMA5 option(-cpu max,pauth-qarma5=on) from QEMU 10 onwards.

ARMv8 architecture functions such as FEAT_AFP, FEAT_RPRES and FEAT_XS as well as the emulation of the physical and virtual timers of Secure EL2 have been added. The “Secure” should not be overestimated, as the Exeption Levels (EL) are defined from EL0 to EL3. Roughly speaking, EL0 is the user space, EL1 is the kernel/operating system, EL2 is for hypervisors (and “non-secure”) and only EL3 as the highest privilege level is called “Secure Monitor”.

In addition, QEMU 10 provides two new ARM board models: the NPCM845 Evaluation Board and the i.MX 8M Plus EVK Board.

HPPA and LoongArch are still alive

Fortunately, there are still QEMU developers working on older or unusual architectures. The 10.0.0 release of QEMU does not include any explicit new features or fixes for SPARC, MIPS, PowerPC, Alpha or 68k this time. LoongArch, the RISC architecture developed in China and based on MIPS, has also contributed to the development of QEMU (Binary Translation Instructions to accelerate x86 CPU emulation). With QEMU 10, LoongArch machines get more KVM support such as the possibility for CPU hotplug. HPPA (also known as PA-RISC), a predecessor of the long-buried Itanium processor, now runs with an updated SeaBIOS-hppa V18 and can emulate up to 256 GB of RAM. An emulated HP Diva GSP (Guardian Service Processor) PCI board for remote maintenance and more flexible options for graphics cards have also been added.

Intel/AMD VMs have also received some attention, such as a faster emulation of string instructions on x86 architectures. The two new CPU models, ClearwaterForest and SierraForest-v2 have also been added.

Apple: macOS guests with accelerated graphics

QEMU 10 introduces two new emulated devices: apple-gfx-pci and apple-gfx-mmio. As the names suggest, these can be used to provide accelerated graphics for macOS guests on macOS hosts as part of the paravirtualizedGraphics.framework. Apple-gfx-pci is intended for use on x86-64, apple-gfx-mmio replicates the graphics device implemented by the virtualization.framework of the aarch64 version of macOS. This should make the graphical user interface of macOS guests significantly smoother.

VirtIO SCSI devices have received “real” multi-queue support with QEMU 10.0. This improves I/O scalability. VirtIO-Mem is now also available on IBM s390x and the measurement data for VirtIO-Balloon is set to zero when the machine is reset. The VFIO code has received many improvements and now also supports old ATI X550 GPUs.

Many other detailed changes and possible incompatibilities of QEMU 10.0.0 are documented in the changelog. The online documentation and the current source code are also available free of charge on the QEMU project page.

(dmk)