CHERI
CHERI-QEMU
CHERI-QEMU is an adaptation of the popular QEMU ISA emulator to implement the Arm Morello and CHERI-RISC-V instruction sets; it was originally developed to run our prototype CHERI-MIPS ISA, but this is no longer supported. CHERI-QEMU has been used extensively in the development of CheriBSD, CHERI-seL4, and CHERI Linux. More information on QEMU itself can be found on the QEMU Wiki.
Contents |
Obtaining CHERI-QEMU
The best way to get started with CHERI-QEMU is using our cheribuild tool, which
will automatically download and build the necessary source.
The compiled binaries will be installed to
~/cheri/output/sdk/bin by default.
Get started with CHERI-QEMU in one command line:
./cheribuild.py --include-dependencies qemu
The CHERI-QEMU source code can be found in the CHERI-QEMU GitHub repository. We also use a GitHub issue tracker to track bugs and feature requests.
CheriBSD Startup and Regression Testing
In practice, however, CHERI-QEMU is most useful if you also have an OS image. The following command line builds CheriBSD/RISC-V, CHERI-QEMU, and the complete toolchain including tools such as CHERI Clang/LLVM and CHERI GDB, and runs the resulting image in CHERI-QEMU:
./cheribuild.py --include-dependencies run-riscv64-purecap
This will boot CheriBSD to a multiuser prompt as follows:
$ ./cheribuild.py --include-dependencies run-riscv64-purecap
[...]
Copyright (c) 1992-2020 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 13.0-CURRENT #0 ea692111dcc-c1(master)-dirty: Thu Dec 3 13:22:10 UTC 2020
jrtc4@zeno.sec.cl.cam.ac.uk:/home/jrtc4/cheri/build/cheribsd-riscv64-purecap-build/home/jrtc4/cheri/cheribsd/riscv.riscv64c/sys/CHERI-QEMU riscv
clang version 11.0.0 (https://github.com/CTSRD-CHERI/llvm-project.git ca275db7edb8f9ac26a926f750c0fc263da0ac27)
CHERI hybrid kernel.
[...]
FreeBSD/riscv (cheribsd-riscv64-purecap) (ttyu0)
login:
At this point you can login as the root user (no password) and run the CheriBSD regression tests:
login: root [...] root@:~ # cheribsdtest-hybrid -a [...] root@:~ # cheribsdtest-purecap -a [...] root@:~ #
Note that QEMU can be exited using the key sequence "Ctrl-a x" at any time.
Instruction, Register and Memory Tracing
CHERI-QEMU also has support for simple instruction, register and memory tracing. This is very useful for debugging and can be turned on (and off) by the command-line when QEMU is started or via the QEMU monitor. Note that turning on instruction tracing will add a lot of overhead to the QEMU emulation and can generate very large trace log files. In addition to the disassembled instructions the trace includes changes to registers and memory.
Starting Instruction Tracing on Start Up
To start instruction tracing on start up add "-D <logfile> -d instr" to the QEMU command-line. For example (for CHERI-MIPS):
$ qemu-system-cheri128 -M malta -kernel ./kernel -nographic -hda ./disk.img -m 2048 -D /var/tmp/instr.log -d instr
Starting and Stopping Instruction Tracing via CheriBSD command
CheriBSD also has a tool /usr/bin/qtrace that can be used to toggle QEMU tracing.
This will log the traces to the file specified using the -D flag on QEMU startup.
For example:
$ qtrace -u exec /bin/true # trace user-space instructions for cat $ qtrace exec /bin/true # trace all instructions for true $ qtrace start # turn on instruction tracing $ qtrace stop # turn off instruction tracing
Starting and Stopping Instruction Tracing via QEMU Monitor
Instruction tracing can also be started and stopped using the QEMU Monitor. To do this toggle into the QEMU Monitor using the "Ctrl-a c" key sequence. At the QEMU Monitor prompt, to start instruction tracing, do:
(qemu) logfile /var/tmp/instr.log (qemu) log instr
Toggle back to the console with another "Ctrl-a c" key sequence.
To stop instruction tracing using the QEMU Monitor:
(qemu) log none
CHERI=QEMU can also create CHERI-MIPS instruction traces that are compatible with the libcheritrace format that is used by the tracedump utility and CheriVis. To generate libcheritrace instruction traces use '-d cvtrace' instead of '-d instr'. For example:
$ qemu-system-cheri128 -M malta -kernel ./kernel -nographic -hda ./disk.img -m 2048 -D /var/tmp/cvtrace.bin -d cvtrace [...] $ tracedump -t /var/tmp/cvtrace.bin [...]