Re: OpenBSD 6.1-snapshot boot issues in bhyve

[Jason Tubnor]

On 5 April 2017 at 13:07, Theo de Raadt  wrote:

>
> > cpu0: Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz, 3491.87 MHz
> > cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,
> CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,PBE,SSE3,
> PCLMUL,DTES64,DS-CPL,SSSE3,SDBG,FMA3,CX16,xTPR,PCID,DCA,
> SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,
> NXE,PAGE1GB,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,BMI2,ERMS,INVPCID,ARAT
> > cpu0: 256KB 64b/line 8-way L2 cache
>
> (see SDBG in the long line above?)
>
> In that case the emulation of that cpu must support the feature it
> claims to support, either by having the hardware do it, or by having
> the vm code emulate it.  It must emulate the MSR's associated with
> the feature.
>
> Or, not make the claim.
>
> bhyve appears to be passing down feature bits from the host cpu
> without sanitizing them.
>
> I wonder what other features they are passing down some of them
> are not really safe
>

Just a follow-up.  New hardware has arrived.  This is not a wide ranging
issue and appears to only affect some models of CPUs.  Below is the output
from a bhyve guest running on an Atom C2758 SoC, no modification was made
to the bhyve startup:

OpenBSD 6.1 (GENERIC.MP) #0: Wed Apr  5 08:47:48 AEST 2017
mrbuil...@cybermen.ar18.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1056964608 (1008MB)
avail mem = 1021227008 (973MB)
warning: no entropy supplied by boot loader
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xf101f (10 entries)
bios0: vendor BHYVE version "1.00" date 03/14/2014
bios0: bhyve BHYVE
acpi0 at bios0: rev 2
acpi0: sleep states S5
acpi0: tables DSDT APIC FACP HPET MCFG
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.13 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,SS,HTT,PBE,SSE3,PCLMUL,DTES64,DS-CPL,SSSE3,CX16,xTPR,SSE4
.1,SSE4.2,MOVBE,POPCNT,AES,RDRAND,HV,NXE,LONG,LAHF,3DNOWP,ITSC,ERMS,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: TSC frequency 2400132000 Hz
cpu0: smt 0, core 0, package 0
mtrr: CPU supports MTRRs but not enabled by BIOS
cpu0: apic clock running at 134MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2408.75 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,SS,HTT,PBE,SSE3,PCLMUL,DTES64,DS-CPL,SSSE3,CX16,xTPR,SSE4
.1,SSE4.2,MOVBE,POPCNT,AES,RDRAND,HV,NXE,LONG,LAHF,3DNOWP,ITSC,ERMS,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 0, package 1
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins
acpihpet0 at acpi0: 1000 Hz
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PC00)
"PNP0303" at acpi0 not configured
"PNP0F13" at acpi0 not configured
"PNP0501" at acpi0 not configured
"PNP0501" at acpi0 not configured
pvbus0 at mainbus0: bhyve
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 unknown vendor 0x1275 product 0x1275 rev 0x00
ahci0 at pci0 dev 4 function 0 "Intel 82801H AHCI" rev 0x00: apic 0 int 16,
AHCI 1.3
ahci0: port 0: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct
fixed t10.ATA_BHYVE_SATA_DISK_BHYVE-ABF0-1147-4A70
sd0: 9216MB, 512 bytes/sector, 18874368 sectors, thin
virtio0 at pci0 dev 5 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 00:a0:98:81:81:c6
virtio0: msix shared
pcib0 at pci0 dev 31 function 0 "Intel 82371SB ISA" rev 0x00
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0 mux 1
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
/dev/ksyms: Symbol table not valid.
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (1eb522b194b459a8.a) swap on sd0b dump on sd0b

--

By applying the -w flag for bhyve start on the original machine, 6.1 starts
as expected:

Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2017 OpenBSD. All rights reserved.
https://www.OpenBSD.org

OpenBSD 6.1 (RAMDISK_CD) #19: Sat Apr  1 13:49:18 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 251658240 (240MB)
avail mem = 240402432 (229MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xf101f (10 entries)
bios0: vendor BHYVE version "1.00" date 03/14/2014
bios0: bhyve BHYVE
acpi0 at bios0: rev 2
acpi0: tables DSDT APIC FACP HPET MCFG
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot 

Re: OpenBSD 6.1-snapshot boot issues in bhyve

[Bryan Vyhmeister]

On Wed, Apr 05, 2017 at 12:46:27PM +1000, Jason Tubnor wrote:
> Just wondering if anyone else is seeing the same issue I am booting a
> 6.1-snapshot in bhyve? In preparation for the 6.1 pending release, I
> have tried to spin up 6.1-snap to iron out any issues in bhyve but I
> don't get very far into the installation process:

I noticed the same thing last week but was not able to report until
yesterday and noticed you already had. Michael Dexter suggested using
the bhyve "-w" flag and that works as a workaround for now.

Bryan

Re: OpenBSD 6.1-snapshot boot issues in bhyve

[Shawn Webb]

On Tue, Apr 04, 2017 at 09:07:08PM -0600, Theo de Raadt wrote:
> > cpu0: 256KB 64b/line 8-way L2 cache
> > rdmsr to register 0xc80 on vcpu 0
> >  fatal protection fault in supervisor
mode
> > trap type 4 code 0 rip 811c1d17 cs 8 rflags 202 cr2  0 cpl e rsp
> > 81a05940
> > panic: trap type 4, code=0, pc=811c1d17
>
> That's the problem with virtual cpus in x86.  There are rather
> stringent requirements -- features which are offered up must be
> emulated, if the hardware vm features don't so in hardware.
>
> And noone tested it in that combination of bhyve + real hardware you
> have.
>
> Commit from January:
>
> revision 1.80
> date: 2017/01/13 17:15:27;  author: mikeb;  state: Exp;  lines: +20 -1;
commitid: xf3Mp5sczmZXop5L;
> Disable and lock Silicon Debug feature on modern Intel CPUs
>
> This implements one of the countermeasures against using Direct
> Connect Interface (DCI) to debug CPUs via USB3 mentioned in the
> "Tapping into the core" talk at the 33c3: identify and disable
> the Silicon Debug feature found in Haswell and newer CPUs.
>
> ok mlarkin, deraadt
>
>
> /*
>  * Attempt to disable Silicon Debug and lock the configuration
>  * if it's enabled and unlocked.
>  */
> if (!strcmp(cpu_vendor, "GenuineIntel") &&
> (cpu_ecxfeature & CPUIDECX_SDBG)) {
> uint64_t msr;
>
> msr = rdmsr(IA32_DEBUG_INTERFACE);
> if ((msr & IA32_DEBUG_INTERFACE_ENABLE) &&
> (msr & IA32_DEBUG_INTERFACE_LOCK) == 0) {
> msr &= IA32_DEBUG_INTERFACE_MASK;
> msr |= IA32_DEBUG_INTERFACE_LOCK;
> wrmsr(IA32_DEBUG_INTERFACE, msr);
> } else if (msr & IA32_DEBUG_INTERFACE_ENABLE)
> printf("%s: cannot disable silicon debug\n",
> ci->ci_dev->dv_xname);
> }
>
> Let me decipher the condition above: A cpu which claims it is
> GenuineIntel, and that it has the SDBG feature.. let's see..
>
> > cpu0: Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz, 3491.87 MHz
> > cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,SS,HTT,PBE,SSE3,PCLMUL,DTES64,DS-CPL,SSSE3,SDBG,FMA3,CX16
,xTPR,PCID,DCA,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PA
GE1GB,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,BMI2,ERMS,INVPCID,ARAT
> > cpu0: 256KB 64b/line 8-way L2 cache
>
> (see SDBG in the long line above?)
>
> In that case the emulation of that cpu must support the feature it
> claims to support, either by having the hardware do it, or by having
> the vm code emulate it.  It must emulate the MSR's associated with
> the feature.
>
> Or, not make the claim.
>
> bhyve appears to be passing down feature bits from the host cpu
> without sanitizing them.
>
> I wonder what other features they are passing down some of them
> are not really safe
>

HardenedBSD fixed this a few months ago. Peter Grehan will pull in
HardenedBSD's fix soon.

For reference:
https://github.com/HardenedBSD/hardenedBSD/commit/cc91b57f4d1dabddfbf8b1e7655
bc19908f24f78

Thanks,

--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

GPG Key ID:  0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OpenBSD 6.1-snapshot boot issues in bhyve

[Theo de Raadt]

> cpu0: 256KB 64b/line 8-way L2 cache
> rdmsr to register 0xc80 on vcpu 0
>  fatal protection fault in supervisor mode
> trap type 4 code 0 rip 811c1d17 cs 8 rflags 202 cr2  0 cpl e rsp
> 81a05940
> panic: trap type 4, code=0, pc=811c1d17

That's the problem with virtual cpus in x86.  There are rather
stringent requirements -- features which are offered up must be
emulated, if the hardware vm features don't so in hardware.

And noone tested it in that combination of bhyve + real hardware you
have.

Commit from January:

revision 1.80
date: 2017/01/13 17:15:27;  author: mikeb;  state: Exp;  lines: +20 -1;  
commitid: xf3Mp5sczmZXop5L;
Disable and lock Silicon Debug feature on modern Intel CPUs

This implements one of the countermeasures against using Direct
Connect Interface (DCI) to debug CPUs via USB3 mentioned in the
"Tapping into the core" talk at the 33c3: identify and disable
the Silicon Debug feature found in Haswell and newer CPUs.

ok mlarkin, deraadt


/*
 * Attempt to disable Silicon Debug and lock the configuration
 * if it's enabled and unlocked.
 */
if (!strcmp(cpu_vendor, "GenuineIntel") &&
(cpu_ecxfeature & CPUIDECX_SDBG)) {
uint64_t msr;

msr = rdmsr(IA32_DEBUG_INTERFACE);
if ((msr & IA32_DEBUG_INTERFACE_ENABLE) &&
(msr & IA32_DEBUG_INTERFACE_LOCK) == 0) {
msr &= IA32_DEBUG_INTERFACE_MASK;
msr |= IA32_DEBUG_INTERFACE_LOCK;
wrmsr(IA32_DEBUG_INTERFACE, msr);
} else if (msr & IA32_DEBUG_INTERFACE_ENABLE)
printf("%s: cannot disable silicon debug\n",
ci->ci_dev->dv_xname);
}

Let me decipher the condition above: A cpu which claims it is
GenuineIntel, and that it has the SDBG feature.. let's see..

> cpu0: Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz, 3491.87 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,PBE,SSE3,PCLMUL,DTES64,DS-CPL,SSSE3,SDBG,FMA3,CX16,xTPR,PCID,DCA,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,BMI2,ERMS,INVPCID,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache

(see SDBG in the long line above?)

In that case the emulation of that cpu must support the feature it
claims to support, either by having the hardware do it, or by having
the vm code emulate it.  It must emulate the MSR's associated with
the feature.

Or, not make the claim.

bhyve appears to be passing down feature bits from the host cpu
without sanitizing them.

I wonder what other features they are passing down some of them
are not really safe

Re: OpenBSD 6.1-snapshot boot issues in bhyve

[Jonathan Gray]

On Wed, Apr 05, 2017 at 12:46:27PM +1000, Jason Tubnor wrote:
> Hi,
> 
> Just wondering if anyone else is seeing the same issue I am booting a
> 6.1-snapshot in bhyve?  In preparation for the 6.1 pending release, I have
> tried to spin up 6.1-snap to iron out any issues in bhyve but I don't get
> very far into the installation process:
> 
> 
> 
> Copyright (c) 1982, 1986, 1989, 1991, 1993
> The Regents of the University of California.  All rights reserved.
> Copyright (c) 1995-2017 OpenBSD. All rights reserved.
> https://www.OpenBSD.org
> 
> OpenBSD 6.1 (RAMDISK_CD) #19: Sat Apr  1 13:49:18 MDT 2017
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
> real mem = 251658240 (240MB)
> avail mem = 240402432 (229MB)
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xf101f (10 entries)
> bios0: vendor BHYVE version "1.00" date 03/14/2014
> bios0: bhyve BHYVE
> acpi0 at bios0: rev 2
> acpi0: tables DSDT APIC FACP HPET MCFG
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz, 3491.87 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
> H,MMX,FXSR,SSE,SSE2,SS,HTT,PBE,SSE3,PCLMUL,DTES64,DS-CPL,SSSE3,SDBG,FMA3,CX16
> ,xTPR,PCID,DCA,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PA
> GE1GB,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,BMI2,ERMS,INVPCID,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache
> rdmsr to register 0xc80 on vcpu 0
>  fatal protection fault in supervisor mode
> trap type 4 code 0 rip 811c1d17 cs 8 rflags 202 cr2  0 cpl e rsp
> 81a05940
> panic: trap type 4, code=0, pc=811c1d17
> 
> The operating system has halted.
> Please press any key to reboot.
> 
> -
> 
> Is anyone able to shed light on this?  I can confirm that 6.0-stable
> installed and runs fine as a guest on this host:

That MSR is IA32_DEBUG_INTERFACE.

/*
 * Attempt to disable Silicon Debug and lock the configuration
 * if it's enabled and unlocked.
 */
if (!strcmp(cpu_vendor, "GenuineIntel") &&
(cpu_ecxfeature & CPUIDECX_SDBG)) {
uint64_t msr;

msr = rdmsr(IA32_DEBUG_INTERFACE);
if ((msr & IA32_DEBUG_INTERFACE_ENABLE) &&
(msr & IA32_DEBUG_INTERFACE_LOCK) == 0) {
msr &= IA32_DEBUG_INTERFACE_MASK;
msr |= IA32_DEBUG_INTERFACE_LOCK;
wrmsr(IA32_DEBUG_INTERFACE, msr);
} else if (msr & IA32_DEBUG_INTERFACE_ENABLE)
printf("%s: cannot disable silicon debug\n",
ci->ci_dev->dv_xname);
}

If they don't support SDBG they should be masking the cpuid bit.

> 
> -
> OpenBSD 6.0 (GENERIC.MP) #2: Wed Oct 12 07:46:27 AEDT 2016
> mrbuil...@cybermen.ar18.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 2130030592 (2031MB)
> avail mem = 2061062144 (1965MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7fb6a000 (10 entries)
> bios0: vendor BHYVE version "1.00" date 03/14/2014
> acpi0 at bios0: rev 2
> acpi0: sleep states S5
> acpi0: tables DSDT FACP HPET APIC MCFG SPCR
> acpi0: wakeup devices
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpihpet0 at acpi0: 1000 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz, 3491.95 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
> H,MMX,FXSR,SSE,SSE2,SS,HTT,PBE,SSE3,PCLMUL,DTES64,DS-CPL,SSSE3,FMA3,CX16,xTPR
> ,PCID,DCA,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB
> ,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,BMI2,ERMS,INVPCID,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: CPU supports MTRRs but not enabled by BIOS
> cpu0: apic clock running at 134MHz
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz, 3499.42 MHz
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
> H,MMX,FXSR,SSE,SSE2,SS,HTT,PBE,SSE3,PCLMUL,DTES64,DS-CPL,SSSE3,FMA3,CX16,xTPR
> ,PCID,DCA,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB
> ,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,BMI2,ERMS,INVPCID,ARAT
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 0, package 1
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
> acpimcfg0 at acpi0 addr 0xe000, bus 0-255
> acpiprt0 at acpi0: bus 0 (PC00)
> "PNP0303" at acpi0 not configured
> "PNP0F03" at acpi0 not configured
> "PNP0501" at acpi0 not configured
> "PNP0501" at acpi0 not configured
> pvbus0 at mainbus0: bhyve
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 unknown vendor 0x1275 product 0x1275 

OpenBSD 6.1-snapshot boot issues in bhyve

[Jason Tubnor]

Hi,

Just wondering if anyone else is seeing the same issue I am booting a
6.1-snapshot in bhyve?  In preparation for the 6.1 pending release, I have
tried to spin up 6.1-snap to iron out any issues in bhyve but I don't get
very far into the installation process:



Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2017 OpenBSD. All rights reserved.
https://www.OpenBSD.org

OpenBSD 6.1 (RAMDISK_CD) #19: Sat Apr  1 13:49:18 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 251658240 (240MB)
avail mem = 240402432 (229MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xf101f (10 entries)
bios0: vendor BHYVE version "1.00" date 03/14/2014
bios0: bhyve BHYVE
acpi0 at bios0: rev 2
acpi0: tables DSDT APIC FACP HPET MCFG
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz, 3491.87 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,SS,HTT,PBE,SSE3,PCLMUL,DTES64,DS-CPL,SSSE3,SDBG,FMA3,CX16
,xTPR,PCID,DCA,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PA
GE1GB,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,BMI2,ERMS,INVPCID,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
rdmsr to register 0xc80 on vcpu 0
 fatal protection fault in supervisor mode
trap type 4 code 0 rip 811c1d17 cs 8 rflags 202 cr2  0 cpl e rsp
81a05940
panic: trap type 4, code=0, pc=811c1d17

The operating system has halted.
Please press any key to reboot.

-

Is anyone able to shed light on this?  I can confirm that 6.0-stable
installed and runs fine as a guest on this host:

-
OpenBSD 6.0 (GENERIC.MP) #2: Wed Oct 12 07:46:27 AEDT 2016
mrbuil...@cybermen.ar18.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2130030592 (2031MB)
avail mem = 2061062144 (1965MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7fb6a000 (10 entries)
bios0: vendor BHYVE version "1.00" date 03/14/2014
acpi0 at bios0: rev 2
acpi0: sleep states S5
acpi0: tables DSDT FACP HPET APIC MCFG SPCR
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpihpet0 at acpi0: 1000 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz, 3491.95 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,SS,HTT,PBE,SSE3,PCLMUL,DTES64,DS-CPL,SSSE3,FMA3,CX16,xTPR
,PCID,DCA,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB
,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,BMI2,ERMS,INVPCID,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: CPU supports MTRRs but not enabled by BIOS
cpu0: apic clock running at 134MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-1620 v3 @ 3.50GHz, 3499.42 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,SS,HTT,PBE,SSE3,PCLMUL,DTES64,DS-CPL,SSSE3,FMA3,CX16,xTPR
,PCID,DCA,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB
,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,BMI2,ERMS,INVPCID,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 0, package 1
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PC00)
"PNP0303" at acpi0 not configured
"PNP0F03" at acpi0 not configured
"PNP0501" at acpi0 not configured
"PNP0501" at acpi0 not configured
pvbus0 at mainbus0: bhyve
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 unknown vendor 0x1275 product 0x1275 rev 0x00
unknown vendor 0xfb5d product 0x40fb (class display subclass VGA, rev 0x00)
at pci0 dev 2 function 0 not configured
ahci0 at pci0 dev 3 function 0 "Intel 82801H AHCI" rev 0x00: apic 2 int 16,
AHCI 1.3
ahci0: port 0: 6.0Gb/s
scsibus1 at ahci0: 32 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom
removable
ahci1 at pci0 dev 4 function 0 "Intel 82801H AHCI" rev 0x00: apic 2 int 17,
AHCI 1.3
ahci1: port 0: 6.0Gb/s
scsibus2 at ahci1: 32 targets
sd0 at scsibus2 targ 0 lun 0:  SCSI3 0/direct
fixed t10.ATA_BHYVE_SATA_DISK_BHYVE-4AF5-4FB1-76AA
sd0: 9216MB, 512 bytes/sector, 18874368 sectors, thin
virtio0 at pci0 dev 5 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 00:a0:98:81:81:c6
virtio0: msix shared
virtio1 at pci0 dev 6 function 0 "Qumranet Virtio Network" rev 0x00
vio1 at virtio1: address 00:a0:98:6d:12:d0
virtio1: msix shared
pcib0 at pci0 dev 31 function 0 "Intel 82371SB ISA" rev 0x00
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5