I thoroughly tested all Trezor models (One, T, Safe 3 and Safe 5) with Qubes OS, and here are the results:
Following the usual Qubes workflow (attaching the Trezor device from sys-usb to a VM running the wallet):
Trezor One works with:
- Electrum
- Trezor Suite
- Web extensions like Metamask/Rabby on Chrome (and other Chromium-based browsers)
Trezor Model T, Safe 3 and Safe 5:
Work with Electrum
Do not work with Trezor Suite or Chrome-based wallet extensions
To use Model T or Safe 3/5 on Qubes, I have to run the devices directly on sys-usb, as specified in these custom instructions.
This compatibility issue appears to be related to the different USB protocols:
- Trezor One (and most hardware wallets) uses the HID protocol for USB communication, which works well with Qubes VM passthrough
- Model T, Safe 3 and Safe 5 use WebUSB, which seems incompatible with Qubes’ USB passthrough mechanism
Electrum can communicate with all Trezor models (including T and Safe) because it’s not browser-based and communicates via HID rather than WebUSB.
I haven’t identified the exact cause of Qubes passthrough issues with WebUSB, but it appears related to how Qubes USB passthrough handles the resetting of WebUSB devices.