EntryBleed to leak KASLR base. Spectre v1 to leak physmap base. Use those two leaks to compute the offset at which the flag from initramfs is loaded into memory, and leak the contents at this offset with Spectre v1.