109147930SPaolo BonziniQEMU User space emulator 209147930SPaolo Bonzini======================== 309147930SPaolo Bonzini 409147930SPaolo BonziniSupported Operating Systems 509147930SPaolo Bonzini--------------------------- 609147930SPaolo Bonzini 709147930SPaolo BonziniThe following OS are supported in user space emulation: 809147930SPaolo Bonzini 909147930SPaolo Bonzini- Linux (referred as qemu-linux-user) 1009147930SPaolo Bonzini 1109147930SPaolo Bonzini- BSD (referred as qemu-bsd-user) 1209147930SPaolo Bonzini 1309147930SPaolo BonziniFeatures 1409147930SPaolo Bonzini-------- 1509147930SPaolo Bonzini 1609147930SPaolo BonziniQEMU user space emulation has the following notable features: 1709147930SPaolo Bonzini 1809147930SPaolo Bonzini**System call translation:** 1909147930SPaolo Bonzini QEMU includes a generic system call translator. This means that the 2009147930SPaolo Bonzini parameters of the system calls can be converted to fix endianness and 2109147930SPaolo Bonzini 32/64-bit mismatches between hosts and targets. IOCTLs can be 2209147930SPaolo Bonzini converted too. 2309147930SPaolo Bonzini 2409147930SPaolo Bonzini**POSIX signal handling:** 2509147930SPaolo Bonzini QEMU can redirect to the running program all signals coming from the 2609147930SPaolo Bonzini host (such as ``SIGALRM``), as well as synthesize signals from 2709147930SPaolo Bonzini virtual CPU exceptions (for example ``SIGFPE`` when the program 2809147930SPaolo Bonzini executes a division by zero). 2909147930SPaolo Bonzini 3009147930SPaolo Bonzini QEMU relies on the host kernel to emulate most signal system calls, 3109147930SPaolo Bonzini for example to emulate the signal mask. On Linux, QEMU supports both 3209147930SPaolo Bonzini normal and real-time signals. 3309147930SPaolo Bonzini 3409147930SPaolo Bonzini**Threading:** 3509147930SPaolo Bonzini On Linux, QEMU can emulate the ``clone`` syscall and create a real 3609147930SPaolo Bonzini host thread (with a separate virtual CPU) for each emulated thread. 3709147930SPaolo Bonzini Note that not all targets currently emulate atomic operations 386fe6d6c9SPeter Maydell correctly. x86 and Arm use a global lock in order to preserve their 3909147930SPaolo Bonzini semantics. 4009147930SPaolo Bonzini 4109147930SPaolo BonziniQEMU was conceived so that ultimately it can emulate itself. Although it 4209147930SPaolo Bonziniis not very useful, it is an important test to show the power of the 4309147930SPaolo Bonziniemulator. 4409147930SPaolo Bonzini 4509147930SPaolo BonziniLinux User space emulator 4609147930SPaolo Bonzini------------------------- 4709147930SPaolo Bonzini 4809147930SPaolo BonziniCommand line options 4909147930SPaolo Bonzini~~~~~~~~~~~~~~~~~~~~ 5009147930SPaolo Bonzini 5109147930SPaolo Bonzini:: 5209147930SPaolo Bonzini 5309147930SPaolo Bonzini qemu-i386 [-h] [-d] [-L path] [-s size] [-cpu model] [-g port] [-B offset] [-R size] program [arguments...] 5409147930SPaolo Bonzini 5509147930SPaolo Bonzini``-h`` 5609147930SPaolo Bonzini Print the help 5709147930SPaolo Bonzini 5809147930SPaolo Bonzini``-L path`` 5909147930SPaolo Bonzini Set the x86 elf interpreter prefix (default=/usr/local/qemu-i386) 6009147930SPaolo Bonzini 6109147930SPaolo Bonzini``-s size`` 6209147930SPaolo Bonzini Set the x86 stack size in bytes (default=524288) 6309147930SPaolo Bonzini 6409147930SPaolo Bonzini``-cpu model`` 6509147930SPaolo Bonzini Select CPU model (-cpu help for list and additional feature 6609147930SPaolo Bonzini selection) 6709147930SPaolo Bonzini 6809147930SPaolo Bonzini``-E var=value`` 6909147930SPaolo Bonzini Set environment var to value. 7009147930SPaolo Bonzini 7109147930SPaolo Bonzini``-U var`` 7209147930SPaolo Bonzini Remove var from the environment. 7309147930SPaolo Bonzini 7409147930SPaolo Bonzini``-B offset`` 7509147930SPaolo Bonzini Offset guest address by the specified number of bytes. This is useful 7609147930SPaolo Bonzini when the address region required by guest applications is reserved on 7709147930SPaolo Bonzini the host. This option is currently only supported on some hosts. 7809147930SPaolo Bonzini 7909147930SPaolo Bonzini``-R size`` 8009147930SPaolo Bonzini Pre-allocate a guest virtual address space of the given size (in 8109147930SPaolo Bonzini bytes). \"G\", \"M\", and \"k\" suffixes may be used when specifying 8209147930SPaolo Bonzini the size. 8309147930SPaolo Bonzini 8409147930SPaolo BonziniDebug options: 8509147930SPaolo Bonzini 8609147930SPaolo Bonzini``-d item1,...`` 8709147930SPaolo Bonzini Activate logging of the specified items (use '-d help' for a list of 8809147930SPaolo Bonzini log items) 8909147930SPaolo Bonzini 9009147930SPaolo Bonzini``-g port`` 9109147930SPaolo Bonzini Wait gdb connection to port 9209147930SPaolo Bonzini 93e99c1f89SPeter Maydell``-one-insn-per-tb`` 94e99c1f89SPeter Maydell Run the emulation with one guest instruction per translation block. 95e99c1f89SPeter Maydell This slows down emulation a lot, but can be useful in some situations, 96e99c1f89SPeter Maydell such as when trying to analyse the logs produced by the ``-d`` option. 97e99c1f89SPeter Maydell 9809147930SPaolo BonziniEnvironment variables: 9909147930SPaolo Bonzini 10009147930SPaolo BonziniQEMU_STRACE 10109147930SPaolo Bonzini Print system calls and arguments similar to the 'strace' program 10209147930SPaolo Bonzini (NOTE: the actual 'strace' program will not work because the user 10309147930SPaolo Bonzini space emulator hasn't implemented ptrace). At the moment this is 10409147930SPaolo Bonzini incomplete. All system calls that don't have a specific argument 10509147930SPaolo Bonzini format are printed with information for six arguments. Many 10609147930SPaolo Bonzini flag-style arguments don't have decoders and will show up as numbers. 10709147930SPaolo Bonzini 10809147930SPaolo BonziniOther binaries 10909147930SPaolo Bonzini~~~~~~~~~~~~~~ 11009147930SPaolo Bonzini 111c8a03a8fSPhilippe Mathieu-Daudé- user mode (Alpha) 11209147930SPaolo Bonzini 113c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-alpha`` TODO. 11409147930SPaolo Bonzini 115c8a03a8fSPhilippe Mathieu-Daudé- user mode (Arm) 116c8a03a8fSPhilippe Mathieu-Daudé 117c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-armeb`` TODO. 118c8a03a8fSPhilippe Mathieu-Daudé 119c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-arm`` is also capable of running Arm \"Angel\" semihosted ELF 12009147930SPaolo Bonzini binaries (as implemented by the arm-elf and arm-eabi Newlib/GDB 12109147930SPaolo Bonzini configurations), and arm-uclinux bFLT format binaries. 12209147930SPaolo Bonzini 123c8a03a8fSPhilippe Mathieu-Daudé- user mode (ColdFire) 124c8a03a8fSPhilippe Mathieu-Daudé 125c8a03a8fSPhilippe Mathieu-Daudé- user mode (M68K) 126c8a03a8fSPhilippe Mathieu-Daudé 127c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-m68k`` is capable of running semihosted binaries using the BDM 12809147930SPaolo Bonzini (m5xxx-ram-hosted.ld) or m68k-sim (sim.ld) syscall interfaces, and 12909147930SPaolo Bonzini coldfire uClinux bFLT format binaries. 13009147930SPaolo Bonzini 13109147930SPaolo Bonzini The binary format is detected automatically. 13209147930SPaolo Bonzini 133c8a03a8fSPhilippe Mathieu-Daudé- user mode (i386) 13409147930SPaolo Bonzini 135c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-i386`` TODO. 136c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-x86_64`` TODO. 13709147930SPaolo Bonzini 138c8a03a8fSPhilippe Mathieu-Daudé- user mode (Microblaze) 139c8a03a8fSPhilippe Mathieu-Daudé 140c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-microblaze`` TODO. 141c8a03a8fSPhilippe Mathieu-Daudé 142c8a03a8fSPhilippe Mathieu-Daudé- user mode (MIPS) 143c8a03a8fSPhilippe Mathieu-Daudé 144c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-mips`` executes 32-bit big endian MIPS binaries (MIPS O32 ABI). 145c8a03a8fSPhilippe Mathieu-Daudé 146c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-mipsel`` executes 32-bit little endian MIPS binaries (MIPS O32 ABI). 147c8a03a8fSPhilippe Mathieu-Daudé 148c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-mips64`` executes 64-bit big endian MIPS binaries (MIPS N64 ABI). 149c8a03a8fSPhilippe Mathieu-Daudé 150c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-mips64el`` executes 64-bit little endian MIPS binaries (MIPS N64 15109147930SPaolo Bonzini ABI). 15209147930SPaolo Bonzini 153c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-mipsn32`` executes 32-bit big endian MIPS binaries (MIPS N32 ABI). 15409147930SPaolo Bonzini 155c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-mipsn32el`` executes 32-bit little endian MIPS binaries (MIPS N32 15609147930SPaolo Bonzini ABI). 15709147930SPaolo Bonzini 158c8a03a8fSPhilippe Mathieu-Daudé- user mode (PowerPC) 15909147930SPaolo Bonzini 160c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-ppc64`` TODO. 161c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-ppc`` TODO. 16209147930SPaolo Bonzini 163c8a03a8fSPhilippe Mathieu-Daudé- user mode (SH4) 16409147930SPaolo Bonzini 165c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-sh4eb`` TODO. 166c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-sh4`` TODO. 16709147930SPaolo Bonzini 168c8a03a8fSPhilippe Mathieu-Daudé- user mode (SPARC) 169c8a03a8fSPhilippe Mathieu-Daudé 170c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-sparc`` can execute Sparc32 binaries (Sparc32 CPU, 32 bit ABI). 171c8a03a8fSPhilippe Mathieu-Daudé 172c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-sparc32plus`` can execute Sparc32 and SPARC32PLUS binaries 17309147930SPaolo Bonzini (Sparc64 CPU, 32 bit ABI). 17409147930SPaolo Bonzini 175c8a03a8fSPhilippe Mathieu-Daudé * ``qemu-sparc64`` can execute some Sparc64 (Sparc64 CPU, 64 bit ABI) and 17609147930SPaolo Bonzini SPARC32PLUS binaries (Sparc64 CPU, 32 bit ABI). 17709147930SPaolo Bonzini 17809147930SPaolo BonziniBSD User space emulator 17909147930SPaolo Bonzini----------------------- 18009147930SPaolo Bonzini 18109147930SPaolo BonziniBSD Status 18209147930SPaolo Bonzini~~~~~~~~~~ 18309147930SPaolo Bonzini 18409147930SPaolo Bonzini- target Sparc64 on Sparc64: Some trivial programs work. 18509147930SPaolo Bonzini 18609147930SPaolo BonziniQuick Start 18709147930SPaolo Bonzini~~~~~~~~~~~ 18809147930SPaolo Bonzini 18909147930SPaolo BonziniIn order to launch a BSD process, QEMU needs the process executable 19009147930SPaolo Bonziniitself and all the target dynamic libraries used by it. 19109147930SPaolo Bonzini 19209147930SPaolo Bonzini- On Sparc64, you can just try to launch any process by using the 19309147930SPaolo Bonzini native libraries:: 19409147930SPaolo Bonzini 19509147930SPaolo Bonzini qemu-sparc64 /bin/ls 19609147930SPaolo Bonzini 19709147930SPaolo BonziniCommand line options 19809147930SPaolo Bonzini~~~~~~~~~~~~~~~~~~~~ 19909147930SPaolo Bonzini 20009147930SPaolo Bonzini:: 20109147930SPaolo Bonzini 20209147930SPaolo Bonzini qemu-sparc64 [-h] [-d] [-L path] [-s size] [-bsd type] program [arguments...] 20309147930SPaolo Bonzini 20409147930SPaolo Bonzini``-h`` 20509147930SPaolo Bonzini Print the help 20609147930SPaolo Bonzini 20709147930SPaolo Bonzini``-L path`` 20809147930SPaolo Bonzini Set the library root path (default=/) 20909147930SPaolo Bonzini 21009147930SPaolo Bonzini``-s size`` 21109147930SPaolo Bonzini Set the stack size in bytes (default=524288) 21209147930SPaolo Bonzini 21309147930SPaolo Bonzini``-ignore-environment`` 21409147930SPaolo Bonzini Start with an empty environment. Without this option, the initial 21509147930SPaolo Bonzini environment is a copy of the caller's environment. 21609147930SPaolo Bonzini 21709147930SPaolo Bonzini``-E var=value`` 21809147930SPaolo Bonzini Set environment var to value. 21909147930SPaolo Bonzini 22009147930SPaolo Bonzini``-U var`` 22109147930SPaolo Bonzini Remove var from the environment. 22209147930SPaolo Bonzini 22309147930SPaolo Bonzini``-bsd type`` 22409147930SPaolo Bonzini Set the type of the emulated BSD Operating system. Valid values are 22509147930SPaolo Bonzini FreeBSD, NetBSD and OpenBSD (default). 22609147930SPaolo Bonzini 22709147930SPaolo BonziniDebug options: 22809147930SPaolo Bonzini 22909147930SPaolo Bonzini``-d item1,...`` 23009147930SPaolo Bonzini Activate logging of the specified items (use '-d help' for a list of 23109147930SPaolo Bonzini log items) 23209147930SPaolo Bonzini 23309147930SPaolo Bonzini``-p pagesize`` 23409147930SPaolo Bonzini Act as if the host page size was 'pagesize' bytes 23509147930SPaolo Bonzini 236*060e0cd7SPeter Maydell``-one-insn-per-tb`` 237*060e0cd7SPeter Maydell Run the emulation with one guest instruction per translation block. 238*060e0cd7SPeter Maydell This slows down emulation a lot, but can be useful in some situations, 239*060e0cd7SPeter Maydell such as when trying to analyse the logs produced by the ``-d`` option. 240