Well, I think I can rule out it being a PVGRUB issue alone, at least in
this case. I just created a Debian 8 template with the stock Debian 3.16
kernel and that booted up fine.
I don't think it's a coldkernel issue specifically, or at least one tied
to a certain version. Like I said, I've been running all the coldkernels
in the 4.9 series since they switched from 4.8, and use their build
scripts to compile newer ones as they come out. Until today and prior to
the recent Qubes package updates, I was running 4.9.22 with no issues.
It wasn't until after the Qubes updates that I encountered the BadAccess
errors, and updating to 4.9.23 has no effect.
So my guess is (at least until other people test some other PVGRUB
kernels to see how they behave; it could be a kernel 4.x or 4.9 issue
for all I know right now) that the newest version of whatever just got
pushed out on the Qubes end is doing something that the older versions
didn't and that the grsecurity stuff doesn't like, and this is shutting
it down. The problem is I don't know what package it might have been,
and there is absolutely *nothing* in dmesg that would give a hint.
Usually grsecurity spits out some kind of error when it kills
qubes-guid, which is why I'm still not convinced it's completely a
grsecurity/coldkernel problem at the moment. The next thing to try is a
stock 4.9 in PVGRUB mode to see if the issue persists.