Re: OK, I'll bite
I spent 10 years in microprocessor validation--basically from the start of the speculative execution era. I've got some ideas about what might be done to mitigate this sort of thing in hardware. The obvious solution for Spectre would be to add some bits of the pointer to the head of the page table into the branch history table indices. Doing this, however, would require committing to an architectural feature which really, really is not something that you want to commit to.
The next thing to consider would be to add cache state to the speculative state that gets rolled back on a branch mispredict. You create an orphan pool for the caches, and pull those back. This would be quite expensive, depending on how completely you want to block such an attack. It is FAR from clear to me how such an orphan pool should be treated to avoid a variant of such an attack that takes the orphan pool into account.
If the papers are accurate, and modern CPUs really do have close to 200 instructions in flight, you would need at least 600 cache lines in your orphan buffers per level of cache--probably a lot more.