Itās now working. Iāve tested Qubes with a big variety of hardware wallets and they all work out of the box, no need to create a custom sys-usb - except for Trezor Model T and Trezor Safe (3 and 5), and only if you want to use them with browser based wallets (that includes Trezor Suite).
It looks like this is because most hardware wallets use HID protocol for USB communication, which is easy to passthrough to virtual machines in Qubes. Model T and Safe models use WebUSB, and it looks like they donāt like how Qubes passthrough handles WebUSB devices. Electrum seems to be able to communicate with model T and Safe models via HID.
Long story short, after following @smrtak guide Model T and Safe models work with Trezor Suite and other browser wallets. But I do believe the RPC policies are overly permissive, so I suggest to change those to make sure only the TrezorSuite VM can connect to trezord-service.
Thanks! I didnāt realize there was a comment with modified RPC policies - when clicking the link in the thread I can only see the original post with the very permissive RPC policy.
Anyway, I see that you added to the RPC allow list appVMs for Sparrow and Electrum. According to my tests thatās not strictly necessary (but of course it will work), because you can just attach the Trezor devices to those appVMs using the standard Qubes passthrough and they will work. Only case in which Model T and Safe models donāt work via passthrough is with Trezor Suite and other browser based wallets (Metamask, Rabby, etc.)
Check out USBIP protocol errors where weāve been debugging the usb passthrough method (as opossed to running software in sys-usb), however there are some issues as well.