feat: add --kernel flag for QEMU system emulation mode

Add --kernel <PATH> option to boot extracted rootfs in a QEMU virtual
machine instead of namespace/chroot mode. The rootfs is converted to an
ext4 disk image using mke2fs and booted with the provided kernel.

SPEC.md

@@ -22,6 +22,9 @@ ecr [OPTIONS] <DISTRO[:VERSION]> -- [COMMAND]...
 | `--bind-rw <path>` | none | Read-write bind mount at `/mnt/<basename>` (can be specified multiple times, overrides `--bind` for same path) |
 | `--no-cache` | false | Download fresh tarball, ignore cache |
 | `--no-bind` | false | Skip mounting any directory |
+| `--kernel <path>` | none | Boot with QEMU system emulation using specified kernel (triggers disk image creation) |
+| `-m, --memory <size>` | 2G | Memory size for QEMU VM (only used with `--kernel`) |
+| `-v, --verbose` | false | Print diagnostic messages |
 | `-h, --help` | - | Show help |
 | `-V, --version` | - | Show version |
 
@@ -182,6 +185,69 @@ Install QEMU user emulation:
 
 No action required. Modern qemu-user-static packages register binfmt_misc with the `F` (fix binary) flag, loading the interpreter into kernel memory. The kernel handles foreign binary execution transparently.
 
+## QEMU System Emulation Mode
+
+When `--kernel` is specified, ecr switches from namespace/chroot mode to QEMU system emulation. The extracted rootfs is converted to a disk image and booted with the provided kernel.
+
+### Usage
+
+```sh
+ecr --kernel /boot/vmlinuz ubuntu:noble
+ecr --kernel /boot/vmlinuz --memory 4G alpine
+ecr --kernel /boot/vmlinuz debian -- /bin/sh -c "echo hello"
+```
+
+### Execution Flow
+
+1. Download/cache rootfs tarball (same as namespace mode)
+2. Extract tarball to temporary directory
+3. Create ext4 disk image from rootfs using `mke2fs -d` (requires `e2fsprogs`)
+4. Launch QEMU with:
+   - `-kernel <path>` - provided kernel
+   - `-append "root=/dev/vda rw console=ttyS0"` - kernel command line
+   - `-m <memory>` - memory size (default 2G)
+   - `-nographic` - console on stdio
+   - `-drive file=rootfs.img,format=raw,if=virtio` - rootfs disk
+   - `-netdev user,id=net0 -device virtio-net-pci,netdev=net0` - network
+5. Wait for QEMU to exit
+6. Cleanup temporary files
+
+### Disk Image Creation
+
+The rootfs directory is converted to an ext4 disk image using `mke2fs -t ext4 -d <rootfs>`. This requires the `e2fsprogs` package:
+
+- Ubuntu/Debian: `sudo apt install e2fsprogs`
+- Arch: `sudo pacman -S e2fsprogs`
+- Alpine: `sudo apk add e2fsprogs`
+
+### Architecture Support
+
+| ecr Arch | QEMU System Binary |
+|----------|-------------------|
+| amd64/x86_64 | qemu-system-x86_64 |
+| arm64/aarch64 | qemu-system-aarch64 |
+| armhf/armv7 | qemu-system-arm |
+| riscv64 | qemu-system-riscv64 |
+| ppc64el | qemu-system-ppc64 |
+| s390x | qemu-system-s390x |
+
+### Requirements
+
+- QEMU system emulator installed (`qemu-system-<arch>`)
+- `e2fsprogs` for disk image creation
+- Kernel with virtio support (for disk and network drivers)
+
+### Differences from Namespace Mode
+
+| Feature | Namespace Mode | QEMU Mode |
+|---------|---------------|-----------|
+| Isolation | User namespace | Full VM |
+| Performance | Near-native | Emulated (slower) |
+| Root access | No | No |
+| Foreign arch | binfmt_misc required | Built-in emulation |
+| Bind mounts | Overlay/bind | Not supported |
+| Network | Host network | User-mode network |
+
 ## File Handling
 
 ### Overlay Mount (Default)