I have been trying out Qubes on the Librem 13 v4 and am impressed overall with how well they work together but there are a couple features that don’t seem to blend, specifically sys-usb and Librem Key/Heads verified boot. I installed Qubes without sys-usb. Heads and Librem key work normally but from a security standpoint this is suboptimal and also less functional on the Librem, particularly with no RJ45 I enjoy having the option for a wired connection through a USB adapter. A good solution to this is to merge sys-net and sys-usb, although now the Librem Key is not recognized on boot. I didn’t realize Qubes could block the USB controller from Heads itself but it seems to be the case. The Qubes documentation suggests an all or nothing approach when it comes to the USB controller but I am wondering if there is a way to create more granular control.
From what I can tell the line containing
rd.qubes.hide_all_usb in /etc/default/grub is responsible for hiding the Librem Key from Heads. Is it possible to modify this file in such a way so that if present the Librem Key can be passed through but other USB devices are still blocked? Or maybe there is something that can be set in /etc/qubes-rpc/policy?