Instead of relying on some firmware plus a real-mode bootloader, Firecracker sets up some basic page tables, puts the vCPUs in 64-bit protected-mode and jumps directly into Linux's entry point.

And now QEMU is able to do that too. At least in this unpublished local branch. 😜