mips, i386, loongarch: tighten Penguin hypercall match

[lacraig2]

Summary

The MIPS Penguin hypercall recognizer was too broad. It treated any conditional move into $zero as a Penguin hypercall, and also intercepted any mfc0 into $zero. The igloo driver hypercall instruction is specifically movz $zero, $zero, $zero, so ordinary no-op conditional moves could be dispatched into Penguin unexpectedly.

This narrows the MIPS translator hook to the exact movz $zero,$zero,$zero instruction and removes the unrelated broad mfc0 rt==0 hook.

A follow-up audit found two additional loose matches and tightens those too:

• LoongArch now requires the exact cpucfg $r0,$r0 sentinel instead of any cpucfg writing $r0.
• x86 now requires a 32-bit OUT to port 0x88, matching the driver's outl %%eax,$0x88, instead of accepting byte/word writes to the same port.

Other Penguin TCG instruction hooks already match their guest-side sentinel shape exactly: ARM32 mcr p7,0,r0,c0,c0,0, ARM64 msr S0_0_c5_c0_0,xzr, RISC-V xori x0,x0,0, and PPC xori 10,10,0.

Repro / validation

Observed with a penguin PR image using igloo_driver v0.0.75:

• Unpatched QEMU: mipsel 4.10 basic target repeatedly hangs during IGLOO driver init, typically after IGLOO: Initializing ioctl hypercalls.
• Patched QEMU copied into the same penguin image: mipsel 4.10 basic target passed 5 consecutive runs.

Command shape used locally:

python3 tests/unit_tests/basic_target/test.py --arch mipsel --kernel 4.10 --image rehosting/penguin:pr815-qemu-mips-hypercall-fix

The trigger showed up after igloo_driver PR #70 because the changed devfs registration path altered startup timing/portal traffic, but the underlying bug is in QEMU's MIPS hypercall recognition.