Qubes optimization for Librem hardware

I have been trying out Qubes on the Librem 13 v4 and am impressed overall with how well they work together but there are a couple features that don’t seem to blend, specifically sys-usb and Librem Key/Heads verified boot. I installed Qubes without sys-usb. Heads and Librem key work normally but from a security standpoint this is suboptimal and also less functional on the Librem, particularly with no RJ45 I enjoy having the option for a wired connection through a USB adapter. A good solution to this is to merge sys-net and sys-usb, although now the Librem Key is not recognized on boot. I didn’t realize Qubes could block the USB controller from Heads itself but it seems to be the case. The Qubes documentation suggests an all or nothing approach when it comes to the USB controller but I am wondering if there is a way to create more granular control.

From what I can tell the line containing rd.qubes.hide_all_usb in /etc/default/grub is responsible for hiding the Librem Key from Heads. Is it possible to modify this file in such a way so that if present the Librem Key can be passed through but other USB devices are still blocked? Or maybe there is something that can be set in /etc/qubes-rpc/policy?

I don’t understand how the OS, which executes after the firmware has booted, could cause the Librem Key to not be visible/accessible on a subsequent boot, unless it was doing something nasty to the XHCI controller and it wasn’t being reset properly at boot

I don’t understand either. It might be something I am doing but I have reproduced it a few times only after enabling sys-usb. I will keep messing around with it and see if I can find out anything more.

Alright so this is a non-issue. Maybe something strange happened as I had installed and then reinstalled the same version of qubes so the boot hashes were unchanged. Checking again the key is recognized and by creating a new HOTP/TOTP secret, resigning the files in boot and reselecting the default boot option it works normally.