Hi,

This series makes HMP compile-time optional via --disable-hmp. The
resulting binary speaks only QMP - reducing the attack surface, binary
size and enforcing a separation between machine-readable interface and
interactive debugging console.

QMP offers almost all the functionality HMP could provide, so a separate
standalone "HMP-like" console could be implemented on top of it. The
rough list of missing commands (+complexity estimation) after this
series:

Debugging / introspection:
- info registers (medium) - plus $reg expression handling
- x/xp read memory (medium)
- gpa2hpa/gpa2hva/gva2gpa address translation (medium)
- info lapic (high) - deep x86 APIC state, lots of registers
- info mem (high) - virtual memory mappings, different per arch
- info tlb (high) - virt-to-phys mappings, also per arch
- info mtree (high) - memory region tree, multiple view modes
- info skeys (medium) - s390x storage keys
- info cmma (medium) - s390x CMMA values
- info qdm (easy) - could probably be folded into QOM introspection
- info qtree (medium) - same, maybe QOM introspection is enough
- info snapshots (medium)
- info usbhost (medium)
- info via (medium) -- VIA south bridge state

Simple actions / settings:
- gdbserver (trivial)
- boot_set (easy)
- mce (easy) - x86 MCE injection
- sum (easy) - memory checksum
- sync-profile (easy) - enable/disable/reset
- info sync-profile (medium)
- one-insn-per-tb (easy) - could be a QOM property on the accelerator
- pcie_aer_inject_error (easy)
- migration_mode (medium?)
- i/o ioport read/write (easy)
- hostfwd-add/hostfwd-remove (medium) - slirp port forwarding
- log/logfile (medium)
- trace-file (medium)

Also, to let clients do disassembly on their side, it'd be useful to
have something like "query-disassemble-info" that gives the client what
architecture and endianness is used etc.

In the meantime, being able to build without HMP is valuable and helps
identifying the missing pieces. The series does so by steps:

- preparatory cleanups and bug fixes
- add commands without QMP equivalent and needed for tests
- convert most iotests and qtests from HMP to QMP
- guard HMP-only code paths
- make HMP source files conditional in the build system

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
Marc-André Lureau (40):
      vl: fix -monitor none prefix matching
      hmp: remove 'vcpu' argument from trace-event help
      hmp: fix snapshot_blkdev argument type
      target/i386: decouple cpu_x86_inject_mce() from Monitor
      system: move gpa2hva() to system memory unit
      s390x: prevent crash if given invalid CPU#
      system: decouple qmp_inject_nmi() from Monitor
      hmp: correct the nmi documentation
      monitor: move HMP-only fields from Monitor to MonitorHMP
      tests/functional: use query-version QMP command instead of HMP
      net/qapi: add x-query-usernet
      tests: use x-query-usernet
      RFC: qtest: add -qtest-no-ts option
      qemu-io: propagate errors through Error API instead of printf
      block: add x-qemu-io QMP command
      tests/qemu-iotests/N: use x-qemu-io QMP command
      tests/qemu-iotests/181, 192, 249: convert to QMP
      tests/qemu-iotests/186: convert from HMP to QMP
      tests/qemu-iotests/copy-before-write: convert to QMP
      tests/qemu-iotests: skip some 172 & 267 that require HMP
      RFC: qtest: add qemu-io command to the qtest protocol
      RFC: qtest/ide-test: convert to use qtest qemu-io command
      tests/qtest/numa-test: replace HMP "info numa" with QMP query-cpus-fast
      tests/qtest/pnv: drop unnecessary -serial mon:stdio
      net: add x-query-network QMP command
      tests/qtest/netdev-socket: replace HMP with x-query-network QMP
      tests/qtest/cdrom-test: replace HMP "info block" with QMP query-block
      tests/qtest/qmp-test: don't depend on human-monitor-command
      build-sys: add 'hmp' option
      tests/qtest/device-introspect-test: fix test without HMP
      tests/qtest/drive_del-test: guard HMP-dependent tests with CONFIG_HMP
      qapi: make HMP-specific schema entries conditional on CONFIG_HMP
      monitor: guard HMP-specific code with CONFIG_HMP
      util: guard monitor_vprintf callers with CONFIG_HMP
      system: guard HMP initialization paths with CONFIG_HMP
      hw: guard BusClass::print_dev with CONFIG_HMP
      target: guard MonitorDef tables with CONFIG_HMP
      Guard HMP command implementations with CONFIG_HMP
      build-sys: make HMP source files conditional on have_hmp
      gitlab-ci: add --disable-hmp to build-without-defaults

 meson.build                                   |   6 +-
 qapi/block.json                               |  34 ++
 qapi/control.json                             |   4 +-
 qapi/machine.json                             |   5 +-
 qapi/misc.json                                |   3 +-
 qapi/net.json                                 | 166 ++++++++++
 qapi/qom.json                                 |   5 +-
 include/hw/core/qdev.h                        |   2 +
 include/hw/core/sysemu-cpu-ops.h              |   2 +
 include/monitor/hmp.h                         |   2 +
 include/monitor/monitor.h                     |  11 +-
 include/net/net.h                             |   3 +-
 include/qemu-io.h                             |   4 +-
 include/system/memory.h                       |   2 +
 include/system/qtest.h                        |   3 +-
 monitor/monitor-internal.h                    |   4 +-
 net/hub.h                                     |   4 +-
 target/i386/cpu.h                             |   4 +-
 tests/qtest/libqtest.h                        |  11 +
 accel/accel-system.c                          |   2 +
 accel/tcg/monitor.c                           |   2 +
 block/monitor/block-hmp-cmds.c                |  60 +---
 block/monitor/qmp-cmds.c                      |  79 +++++
 chardev/char.c                                |   7 +
 gdbstub/system.c                              |   8 +
 hw/char/virtio-serial-bus.c                   |   6 +
 hw/core/sysbus.c                              |   6 +
 hw/i386/kvm/xen-stubs.c                       |   2 +
 hw/i386/kvm/xen_evtchn.c                      |   3 +-
 hw/i386/sgx.c                                 |   2 +
 hw/misc/auxbus.c                              |  16 +-
 hw/misc/mos6522-stub.c                        |   2 +
 hw/misc/mos6522.c                             |   2 +
 hw/pci/pci-hmp-cmds.c                         |   2 +
 hw/pci/pci-stub.c                             |   2 +
 hw/pci/pci.c                                  |   2 +
 hw/s390x/s390-skeys.c                         |   2 +
 hw/s390x/s390-stattrib.c                      |   4 +
 hw/s390x/s390-virtio-ccw.c                    |   5 +
 hw/uefi/ovmf-log.c                            |   2 +
 hw/usb/bus.c                                  |   6 +
 hw/usb/host-libusb.c                          |   6 +
 hw/xen/xen-bus.c                              |   4 +
 migration/dirtyrate.c                         |   2 +
 monitor/hmp-cmds.c                            |  48 +--
 monitor/hmp.c                                 |   5 +-
 monitor/monitor.c                             |  47 ++-
 monitor/qmp-cmds.c                            |   2 +
 net/hub.c                                     |  29 +-
 net/net-hmp-cmds.c                            |  59 +++-
 net/net.c                                     |  70 +++-
 net/slirp.c                                   |  41 ++-
 qemu-io-cmds.c                                | 426 +++++++++++++------------
 qemu-io.c                                     |  17 +-
 replay/replay-debugging.c                     |   8 +
 replay/stubs-system.c                         |   6 +
 stubs/monitor-core.c                          |   2 +
 stubs/monitor-internal.c                      |   2 +
 system/cpus.c                                 |   7 +-
 system/dirtylimit.c                           |   6 +
 system/physmem.c                              |  31 ++
 system/qdev-monitor.c                         |   4 +
 system/qtest.c                                |  75 ++++-
 system/vl.c                                   |  13 +-
 target/i386/cpu-apic.c                        |   2 +
 target/i386/cpu.c                             |   4 +
 target/i386/helper.c                          |  49 +--
 target/i386/kvm/kvm.c                         |   4 +-
 target/i386/monitor.c                         |   9 +-
 target/i386/sev.c                             |   2 +
 target/m68k/cpu.c                             |   4 +
 target/m68k/monitor.c                         |   2 +
 target/ppc/monitor.c                          |   2 +
 target/riscv/monitor.c                        |   3 +
 target/sh4/monitor.c                          |   2 +
 target/sparc/cpu.c                            |   5 +-
 target/sparc/monitor.c                        |   2 +
 target/xtensa/monitor.c                       |   2 +
 tests/qtest/cdrom-test.c                      |  29 +-
 tests/qtest/device-introspect-test.c          | 111 +++++--
 tests/qtest/drive_del-test.c                  |  14 +
 tests/qtest/ide-test.c                        |   4 +-
 tests/qtest/libqtest.c                        |  14 +
 tests/qtest/netdev-socket.c                   | 143 +++++----
 tests/qtest/numa-test.c                       |  63 +++-
 tests/qtest/pnv-host-i2c-test.c               |   2 +-
 tests/qtest/pnv-xive2-test.c                  |   2 +-
 tests/qtest/qmp-test.c                        |   9 +-
 tests/unit/test-util-sockets.c                |   4 +-
 tools/qemu-vnc/stubs.c                        |   2 +
 util/error-report.c                           |   8 +-
 util/qemu-print.c                             |   6 +
 .gitlab-ci.d/buildtest.yml                    |   1 +
 audio/meson.build                             |   4 +-
 backends/meson.build                          |   5 +-
 block/monitor/meson.build                     |   5 +-
 chardev/meson.build                           |   5 +-
 disas/meson.build                             |   4 +-
 dump/meson.build                              |   5 +-
 hmp-commands-info.hx                          |   6 +-
 hmp-commands.hx                               |  14 +-
 hw/core/meson.build                           |   5 +-
 hw/i386/meson.build                           |   4 +-
 hw/net/meson.build                            |   4 +-
 hw/pci/meson.build                            |   4 +-
 hw/virtio/meson.build                         |   4 +-
 meson_options.txt                             |   2 +
 migration/meson.build                         |   4 +-
 monitor/meson.build                           |   9 +-
 net/meson.build                               |   4 +-
 python/qemu/utils/__init__.py                 |   5 +-
 qemu-options.hx                               |   7 +-
 qom/meson.build                               |   4 +-
 scripts/meson-buildoptions.sh                 |   3 +
 stats/meson.build                             |   5 +-
 stubs/meson.build                             |  12 +-
 system/meson.build                            |   9 +-
 tests/functional/generic/test_version.py      |  10 +-
 tests/functional/qemu_test/utils.py           |   8 +-
 tests/qemu-iotests/004.out                    |  20 +-
 tests/qemu-iotests/021.out                    |  60 ++--
 tests/qemu-iotests/060                        |   8 +-
 tests/qemu-iotests/060.out                    |  44 ++-
 tests/qemu-iotests/071                        |  30 +-
 tests/qemu-iotests/071.out                    |  14 +-
 tests/qemu-iotests/072.out                    |   2 +-
 tests/qemu-iotests/080.out                    |   4 +-
 tests/qemu-iotests/089.out                    |   4 +-
 tests/qemu-iotests/114.out                    |   2 +-
 tests/qemu-iotests/117                        |   5 +-
 tests/qemu-iotests/117.out                    |   7 +-
 tests/qemu-iotests/120                        |   4 +-
 tests/qemu-iotests/120.out                    |   2 +-
 tests/qemu-iotests/134.out                    |   2 +-
 tests/qemu-iotests/137.out                    |   2 +-
 tests/qemu-iotests/156                        |  36 +--
 tests/qemu-iotests/156.out                    |  48 +--
 tests/qemu-iotests/161                        |  18 +-
 tests/qemu-iotests/161.out                    |  24 +-
 tests/qemu-iotests/171                        |   2 +-
 tests/qemu-iotests/171.out                    |  68 ++--
 tests/qemu-iotests/172                        |   5 +
 tests/qemu-iotests/181                        |  99 ++++--
 tests/qemu-iotests/181.out                    |  36 ++-
 tests/qemu-iotests/186                        |  20 +-
 tests/qemu-iotests/186.out                    | 440 ++++++--------------------
 tests/qemu-iotests/192                        |  22 +-
 tests/qemu-iotests/192.out                    |  17 +-
 tests/qemu-iotests/214.out                    |   2 +-
 tests/qemu-iotests/220.out                    |   2 +-
 tests/qemu-iotests/244.out                    |  12 +-
 tests/qemu-iotests/249                        |  18 +-
 tests/qemu-iotests/249.out                    |  18 +-
 tests/qemu-iotests/267                        |   4 +
 tests/qemu-iotests/271.out                    |  14 +-
 tests/qemu-iotests/283                        |   4 +-
 tests/qemu-iotests/283.out                    |   4 +-
 tests/qemu-iotests/common.rc                  |   7 +
 tests/qemu-iotests/iotests.py                 |   4 +-
 tests/qemu-iotests/tests/copy-before-write    |  98 +++---
 tests/qemu-iotests/tests/image-fleecing       |   4 +-
 tests/qemu-iotests/tests/image-fleecing.out   |  52 +--
 tests/qemu-iotests/tests/migrate-bitmaps-test |   4 +-
 tests/qtest/meson.build                       |   8 +-
 tests/vm/basevm.py                            |  13 +-
 trace/meson.build                             |   5 +-
 ui/meson.build                                |   4 +-
 167 files changed, 2092 insertions(+), 1292 deletions(-)
---
base-commit: e89049b3ba5f1f0468bc0d294173345597514a1b
change-id: 20260521-qemu-no-hmp-ead3f0bf79c0

Best regards,
--  
Marc-André Lureau <marcandre.lureau@redhat.com>

On Thu, May 21, 2026 at 01:49:01AM +0400, Marc-André Lureau wrote:
> Hi,
> 
> This series makes HMP compile-time optional via --disable-hmp. The
> resulting binary speaks only QMP - reducing the attack surface, binary
> size and enforcing a separation between machine-readable interface and
> interactive debugging console.
> 
> QMP offers almost all the functionality HMP could provide, so a separate
> standalone "HMP-like" console could be implemented on top of it. The
> rough list of missing commands (+complexity estimation) after this
> series:

When you say "complexity estimation" is that an estimate for doing
a well designed QMP implementation ?

My view is that for anything still HMP-only, we should do a quick
& dirty hack, where we just expose the existing functionality
directly as QMP without any modelling, but mark it unstable. That
would make everything be largely easy.

If we expect proper QMP design, then the job will never get finished.


> Debugging / introspection:
> - info registers (medium) - plus $reg expression handling
> - x/xp read memory (medium)
> - gpa2hpa/gpa2hva/gva2gpa address translation (medium)
> - info lapic (high) - deep x86 APIC state, lots of registers
> - info mem (high) - virtual memory mappings, different per arch
> - info tlb (high) - virt-to-phys mappings, also per arch
> - info mtree (high) - memory region tree, multiple view modes
> - info skeys (medium) - s390x storage keys
> - info cmma (medium) - s390x CMMA values
> - info qdm (easy) - could probably be folded into QOM introspection
> - info qtree (medium) - same, maybe QOM introspection is enough
> - info snapshots (medium)
> - info usbhost (medium)
> - info via (medium) -- VIA south bridge state
> 
> Simple actions / settings:
> - gdbserver (trivial)
> - boot_set (easy)
> - mce (easy) - x86 MCE injection
> - sum (easy) - memory checksum
> - sync-profile (easy) - enable/disable/reset
> - info sync-profile (medium)
> - one-insn-per-tb (easy) - could be a QOM property on the accelerator
> - pcie_aer_inject_error (easy)
> - migration_mode (medium?)
> - i/o ioport read/write (easy)
> - hostfwd-add/hostfwd-remove (medium) - slirp port forwarding
> - log/logfile (medium)
> - trace-file (medium)
> 
> Also, to let clients do disassembly on their side, it'd be useful to
> have something like "query-disassemble-info" that gives the client what
> architecture and endianness is used etc.
> 
> In the meantime, being able to build without HMP is valuable and helps
> identifying the missing pieces. The series does so by steps:
> 
> - preparatory cleanups and bug fixes
> - add commands without QMP equivalent and needed for tests
> - convert most iotests and qtests from HMP to QMP
> - guard HMP-only code paths
> - make HMP source files conditional in the build system
> 

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|

Hi

On Thu, May 21, 2026 at 11:56 AM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> On Thu, May 21, 2026 at 01:49:01AM +0400, Marc-André Lureau wrote:
> > Hi,
> >
> > This series makes HMP compile-time optional via --disable-hmp. The
> > resulting binary speaks only QMP - reducing the attack surface, binary
> > size and enforcing a separation between machine-readable interface and
> > interactive debugging console.
> >
> > QMP offers almost all the functionality HMP could provide, so a separate
> > standalone "HMP-like" console could be implemented on top of it. The
> > rough list of missing commands (+complexity estimation) after this
> > series:
>
> When you say "complexity estimation" is that an estimate for doing
> a well designed QMP implementation ?
>
> My view is that for anything still HMP-only, we should do a quick
> & dirty hack, where we just expose the existing functionality
> directly as QMP without any modelling, but mark it unstable. That
> would make everything be largely easy.

If that's reasonable, we can have more x-unstable HumanReadableText commands.

>
> If we expect proper QMP design, then the job will never get finished.

Yeah, I expect to have a bit better than just plain string though, for
some commands. We can do it progressively.

See for example x-query-usernet & x-query-network added in this
series, they are structured, but a few info fields remain "free-form"
(slirp data, etc).

We could work on exposing the other missing commands in separate series.

>
>
> > Debugging / introspection:
> > - info registers (medium) - plus $reg expression handling
> > - x/xp read memory (medium)
> > - gpa2hpa/gpa2hva/gva2gpa address translation (medium)
> > - info lapic (high) - deep x86 APIC state, lots of registers
> > - info mem (high) - virtual memory mappings, different per arch
> > - info tlb (high) - virt-to-phys mappings, also per arch
> > - info mtree (high) - memory region tree, multiple view modes
> > - info skeys (medium) - s390x storage keys
> > - info cmma (medium) - s390x CMMA values
> > - info qdm (easy) - could probably be folded into QOM introspection
> > - info qtree (medium) - same, maybe QOM introspection is enough
> > - info snapshots (medium)
> > - info usbhost (medium)
> > - info via (medium) -- VIA south bridge state
> >
> > Simple actions / settings:
> > - gdbserver (trivial)
> > - boot_set (easy)
> > - mce (easy) - x86 MCE injection
> > - sum (easy) - memory checksum
> > - sync-profile (easy) - enable/disable/reset
> > - info sync-profile (medium)
> > - one-insn-per-tb (easy) - could be a QOM property on the accelerator
> > - pcie_aer_inject_error (easy)
> > - migration_mode (medium?)
> > - i/o ioport read/write (easy)
> > - hostfwd-add/hostfwd-remove (medium) - slirp port forwarding
> > - log/logfile (medium)
> > - trace-file (medium)
> >
> > Also, to let clients do disassembly on their side, it'd be useful to
> > have something like "query-disassemble-info" that gives the client what
> > architecture and endianness is used etc.
> >
> > In the meantime, being able to build without HMP is valuable and helps
> > identifying the missing pieces. The series does so by steps:
> >
> > - preparatory cleanups and bug fixes
> > - add commands without QMP equivalent and needed for tests
> > - convert most iotests and qtests from HMP to QMP
> > - guard HMP-only code paths
> > - make HMP source files conditional in the build system
> >
>
> With regards,
> Daniel
> --
> |: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
> |: https://libvirt.org          ~~          https://entangle-photo.org :|
> |: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|
>
>