FRET-qemu/docs/user/main.rst

QEMU User space emulator
========================

Supported Operating Systems
---------------------------

The following OS are supported in user space emulation:

-  Linux (referred as qemu-linux-user)

-  BSD (referred as qemu-bsd-user)

Features
--------

QEMU user space emulation has the following notable features:

**System call translation:**
   QEMU includes a generic system call translator. This means that the
   parameters of the system calls can be converted to fix endianness and
   32/64-bit mismatches between hosts and targets. IOCTLs can be
   converted too.

**POSIX signal handling:**
   QEMU can redirect to the running program all signals coming from the
   host (such as ``SIGALRM``), as well as synthesize signals from
   virtual CPU exceptions (for example ``SIGFPE`` when the program
   executes a division by zero).

   QEMU relies on the host kernel to emulate most signal system calls,
   for example to emulate the signal mask. On Linux, QEMU supports both
   normal and real-time signals.

**Threading:**
   On Linux, QEMU can emulate the ``clone`` syscall and create a real
   host thread (with a separate virtual CPU) for each emulated thread.
   Note that not all targets currently emulate atomic operations
   correctly. x86 and Arm use a global lock in order to preserve their
   semantics.

QEMU was conceived so that ultimately it can emulate itself. Although it
is not very useful, it is an important test to show the power of the
emulator.

Linux User space emulator
-------------------------

Quick Start
~~~~~~~~~~~

In order to launch a Linux process, QEMU needs the process executable
itself and all the target (x86) dynamic libraries used by it.

-  On x86, you can just try to launch any process by using the native
   libraries::

      qemu-i386 -L / /bin/ls

   ``-L /`` tells that the x86 dynamic linker must be searched with a
   ``/`` prefix.

-  Since QEMU is also a linux process, you can launch QEMU with QEMU
   (NOTE: you can only do that if you compiled QEMU from the sources)::

      qemu-i386 -L / qemu-i386 -L / /bin/ls

-  On non x86 CPUs, you need first to download at least an x86 glibc
   (``qemu-runtime-i386-XXX-.tar.gz`` on the QEMU web page). Ensure that
   ``LD_LIBRARY_PATH`` is not set::

      unset LD_LIBRARY_PATH

   Then you can launch the precompiled ``ls`` x86 executable::

      qemu-i386 tests/i386/ls

   You can look at ``scripts/qemu-binfmt-conf.sh`` so that QEMU is
   automatically launched by the Linux kernel when you try to launch x86
   executables. It requires the ``binfmt_misc`` module in the Linux
   kernel.

-  The x86 version of QEMU is also included. You can try weird things
   such as::

      qemu-i386 /usr/local/qemu-i386/bin/qemu-i386 \
                /usr/local/qemu-i386/bin/ls-i386

Wine launch
~~~~~~~~~~~

-  Ensure that you have a working QEMU with the x86 glibc distribution
   (see previous section). In order to verify it, you must be able to
   do::

      qemu-i386 /usr/local/qemu-i386/bin/ls-i386

-  Download the binary x86 Wine install (``qemu-XXX-i386-wine.tar.gz``
   on the QEMU web page).

-  Configure Wine on your account. Look at the provided script
   ``/usr/local/qemu-i386/bin/wine-conf.sh``. Your previous
   ``${HOME}/.wine`` directory is saved to ``${HOME}/.wine.org``.

-  Then you can try the example ``putty.exe``::

      qemu-i386 /usr/local/qemu-i386/wine/bin/wine \
                /usr/local/qemu-i386/wine/c/Program\ Files/putty.exe

Command line options
~~~~~~~~~~~~~~~~~~~~

::

   qemu-i386 [-h] [-d] [-L path] [-s size] [-cpu model] [-g port] [-B offset] [-R size] program [arguments...]

``-h``
   Print the help

``-L path``
   Set the x86 elf interpreter prefix (default=/usr/local/qemu-i386)

``-s size``
   Set the x86 stack size in bytes (default=524288)

``-cpu model``
   Select CPU model (-cpu help for list and additional feature
   selection)

``-E var=value``
   Set environment var to value.

``-U var``
   Remove var from the environment.

``-B offset``
   Offset guest address by the specified number of bytes. This is useful
   when the address region required by guest applications is reserved on
   the host. This option is currently only supported on some hosts.

``-R size``
   Pre-allocate a guest virtual address space of the given size (in
   bytes). \"G\", \"M\", and \"k\" suffixes may be used when specifying
   the size.

Debug options:

``-d item1,...``
   Activate logging of the specified items (use '-d help' for a list of
   log items)

``-p pagesize``
   Act as if the host page size was 'pagesize' bytes

``-g port``
   Wait gdb connection to port

``-singlestep``
   Run the emulation in single step mode.

Environment variables:

QEMU_STRACE
   Print system calls and arguments similar to the 'strace' program
   (NOTE: the actual 'strace' program will not work because the user
   space emulator hasn't implemented ptrace). At the moment this is
   incomplete. All system calls that don't have a specific argument
   format are printed with information for six arguments. Many
   flag-style arguments don't have decoders and will show up as numbers.

Other binaries
~~~~~~~~~~~~~~

user mode (Alpha)
``qemu-alpha`` TODO.

user mode (Arm)
``qemu-armeb`` TODO.

user mode (Arm)
``qemu-arm`` is also capable of running Arm \"Angel\" semihosted ELF
binaries (as implemented by the arm-elf and arm-eabi Newlib/GDB
configurations), and arm-uclinux bFLT format binaries.

user mode (ColdFire)
user mode (M68K)
``qemu-m68k`` is capable of running semihosted binaries using the BDM
(m5xxx-ram-hosted.ld) or m68k-sim (sim.ld) syscall interfaces, and
coldfire uClinux bFLT format binaries.

The binary format is detected automatically.

user mode (Cris)
``qemu-cris`` TODO.

user mode (i386)
``qemu-i386`` TODO. ``qemu-x86_64`` TODO.

user mode (Microblaze)
``qemu-microblaze`` TODO.

user mode (MIPS)
``qemu-mips`` executes 32-bit big endian MIPS binaries (MIPS O32 ABI).

``qemu-mipsel`` executes 32-bit little endian MIPS binaries (MIPS O32
ABI).

``qemu-mips64`` executes 64-bit big endian MIPS binaries (MIPS N64 ABI).

``qemu-mips64el`` executes 64-bit little endian MIPS binaries (MIPS N64
ABI).

``qemu-mipsn32`` executes 32-bit big endian MIPS binaries (MIPS N32
ABI).

``qemu-mipsn32el`` executes 32-bit little endian MIPS binaries (MIPS N32
ABI).

user mode (NiosII)
``qemu-nios2`` TODO.

user mode (PowerPC)
``qemu-ppc64abi32`` TODO. ``qemu-ppc64`` TODO. ``qemu-ppc`` TODO.

user mode (SH4)
``qemu-sh4eb`` TODO. ``qemu-sh4`` TODO.

user mode (SPARC)
``qemu-sparc`` can execute Sparc32 binaries (Sparc32 CPU, 32 bit ABI).

``qemu-sparc32plus`` can execute Sparc32 and SPARC32PLUS binaries
(Sparc64 CPU, 32 bit ABI).

``qemu-sparc64`` can execute some Sparc64 (Sparc64 CPU, 64 bit ABI) and
SPARC32PLUS binaries (Sparc64 CPU, 32 bit ABI).

BSD User space emulator
-----------------------

BSD Status
~~~~~~~~~~

-  target Sparc64 on Sparc64: Some trivial programs work.

Quick Start
~~~~~~~~~~~

In order to launch a BSD process, QEMU needs the process executable
itself and all the target dynamic libraries used by it.

-  On Sparc64, you can just try to launch any process by using the
   native libraries::

      qemu-sparc64 /bin/ls

Command line options
~~~~~~~~~~~~~~~~~~~~

::

   qemu-sparc64 [-h] [-d] [-L path] [-s size] [-bsd type] program [arguments...]

``-h``
   Print the help

``-L path``
   Set the library root path (default=/)

``-s size``
   Set the stack size in bytes (default=524288)

``-ignore-environment``
   Start with an empty environment. Without this option, the initial
   environment is a copy of the caller's environment.

``-E var=value``
   Set environment var to value.

``-U var``
   Remove var from the environment.

``-bsd type``
   Set the type of the emulated BSD Operating system. Valid values are
   FreeBSD, NetBSD and OpenBSD (default).

Debug options:

``-d item1,...``
   Activate logging of the specified items (use '-d help' for a list of
   log items)

``-p pagesize``
   Act as if the host page size was 'pagesize' bytes

``-singlestep``
   Run the emulation in single step mode.