vmm's vm_set_register() should be more careful

[markjdb]

Right now, bhyve can use an ioctl to set the guest's PC to any address, with bounds inherited from the GVA root capability. This should be reworked to ensure that existing bounds are respected. In particular, I think vmm should do the following:

1. During guest creation, initialize each vcpu's nextpc to a copy of the GVA root cap.
2. Require the caller of VM_SET_REGISTER to provide an untagged capability which can be derived from the current nextpc value. This should be enough to let bhyve set nextpc before initial execution of guest code.
3. Optionally provide a mechanism to override this restriction, following, e.g., security.cheri.ptrace_caps.