I think that modern hardware with a loadable firmware actually has a flash rom to keep the latest version of code for backdoors and trojans they ever seen from a user loaded.

A firmware can consist of several parts (at least two):
1) a public blob with code for the device to work well, it loads to device volatile RAM
2) a secret blob (as a part of puplic blob) with code for backdoors and trojans, it loads to device flash rom (persistent non-volatile)

So even if another time you run device with an older loadable firmware provided it still runs with the latest backdoors it remembered from another newer loaded earlier firmware.

For example if CPU reports it has an old level of microcode it does not mean it never seen and learned in its flash rom a newer modern trojan BLOB.

This makes people position promoting the latest BLOBs in loaded firmwares (as you have factory firmware anyway) less strong IMHO.

What do you think about LibertyBSD compared to OpenBSD?
The last release they did is 6.1, but there are scripts even for 6.2 and 6.3 in their repository:
https://notabug.org/jadedctrl/libertybsd-scripts-mirror

And what do you think about HardenedBSD  compared to OpenBSD?
https://hardenedbsd.org/content/easy-feature-comparison

I love Devuan+Trinity as my desktop and as an application server.
May be running them in VM guests on secured BSD (Open and/or Hardened) hosts will make my Devuan more secure.

I also thought about Illumos as a VM host but did not find any comparison to HBSD hardening features.

What would be the best for a secure ZFS server providing iSCSI blocks for OpenBSD hosts or guests connected via physical Ethernet? I guess it is HBSD?

OpenBSD encrypted FS -> physical Ethernet -> HBSD with ZFS

Is it possible to manually remove firmware blobs from OpenBSD and HBSD without many scripts like in LibertyBSD? Just not installing non-free packages and remove any blob files like  firmwares from file system? Shall OpenBSD/HBSD kernel still be recompiled to avoid ALL blobs?

Noticable that all actual security patches are refugees from their original distros. I guess sponsors of mainline kernels actually are not interested in too much outstanding security.

They are more interested in being able to steal user's data exclusively via intelligent services instead of providing protection against this And that is why OpenBSD is a refugee from NetBSD, HBSD from a FreeBSD and Grsecurity from Linux mainline.

What do you think about security of Talos II hardware platform? It looks like a better option than Libreboot (with blobed firmwares yet) ?
https://www.raptorcs.com/content/base/faq.html
May be if more companies realize problems with security of their data on their current server configs they will purchase more Power9 computers and may be pricing will become more fair due to effect of mass production? More used Talos will be available on ebay.

It seems XEN has/had problems too:
https://xenbits.xen.org/xsa/advisory-254.html

Joke? Is password reset used to find a recipient in recent Echelon data to avoid mining deeper into older layers?

Thank you very much for your suggestions.

Please let me know, where can I see a progress and status of KSPP?
How the latest KSPP does compare to Grsecurity 4.9 and latest?

Are these hardened kernels hardened by KSPP?

There are opinions that a universal patch like Grsecurity prevents more potential new yet unknown security related problems than many up to date fixes to specific already discovered issues.

No, just v4.9

Is ZFS still good for remote backups to another host with ZFS via NFS/FTP/iSCSI, etc. ?
Then what FS shall be used on a secured host? Ext3?

I did not find the models I mentioned in your list. These models (A7 and A53) have in order execution without speculative.

Provided hardware does not have flash for keeping last latest update then initial factory firmware can be very old like 10 years old and most likely its backdoors are too obsolete compared to what would be preferred by 3 letter agencies. So IMO it would prevent at least update of backdoors to their modern more advanced variant.

I guess modern storage like SSD and HDD can have a remote control via radio channel and they can modify data, especially add their own boot loader before loader expected by user. It is in addition to possible attack onto side channel like SATA bus and other buses EMI. It may contain a virtualization trojan in one of unreachable rings of CPU and monitor the whole system RAM and phone to home, may be even by satellite channels, I am not sure how they connect to their management head. May be all internet switches have backdoors to hide some packets or modify them with some hidden data, so that sniffer does not see anything suspicious? Or may be they camouflage in rare DNS queries, I do not know. So the most bad thing about modern storage can be a possibility of remote command to destroy all data. Many other problems can be solved by whole disk encryption for isolation of disk firmware from data on it and ZFS on top of encryption to
constantly verify data consistency.

Storage components are generally the most often upgraded hardware, most desirable by user, having budget even in tough times and therefore can be an attractive place to injects the latest NSA trojan developments even yet on factories.

Is an idea of nesting virtual machines with such different hardened kernels (each with mitigation) good for improving whole security of the system and isolation of guests if full emulation like Bochs is used on each level?

Earlier without kernel mitigation it did not help, even high level browser JavaScript in a guest could escape into hypervisor host RAM.

More about CPU backdoors:

https://web.archive.org/web/20190210084 … PUs-wp.pdf

http://www.freezepage.com/1549787796TGNTNZUTHI

https://www.youtube.com/watch?v=_eSAF_qT_FY

Please note a few features of a laptop/tablet I am looking for:

1) Spectre free CPU with "in order" execution and not very modern to avoid backdoors like Cortex A7.
2) Open source drivers in a Linux mainline like for AllWinner A20 realization.
3) Able to boot into FreeBSD/OpenBSD
4) May be it can be a custom made laptop from Olimex Olinuxino A20 like this:
https://wot.lv/my-take-on-a-custom-laptop.html
5) USB port able to connect to USB hub with several devices like external USB keyboard, mouse, HDD, etc.
6) BLOB free boot to avoid hardware trojans managing ARM worlds in TrusZone

Raspberry seems requires a BLOB to boot which is bad from security point of view.

I need a hardware 100% free of active BLOBs which are missing public source code.

Someone thinks that Allwinner, STM32, LPC and OMAP can boot 100% free of BLOBs, is it correct?

Does an ability of a guest to escape into the host address space depend on a type of virtualization?

For example slow full emulation like in Bochs (when original CPU instructions are converted to other instructions before execution) vs fast hardware virtualization (when CPU instructions are executed almost unchanged just in another context) if I understand correctly ?

What about a full emulation of even another architecture? Say fully emulating immune Cortex A53 virtual hardware on a X86 hardware which is not immune to spectre by itself?

Is it so easy to produce a code for a Cortex A53 virtual guest CPU which would be translated into vulnerable hardware X86 host instructions?