Disabling USB in BIOS only disables the emulation of classic PS2 keyboards and IDE storage so that old OSes or bootloaders without USB stacks can work with modern equipment. As soon as the OS kernel initializes the PCI bus, USB will work again - however they could go and remove the xHCI modules from the kernel and image.
Mullvad has a custom-built bare metal UEFI implementation based on coreboot, I assume stboot is an evolution of that, which means it takes as close as you can get to full responsibility for initialization of all system components like processor, chipset, Ethernet, USB, everything.
As a result they can absolutely disable USB entirely by never exposing those parts of the device tree to Linux.
x86 devices do not have device trees, and for ARM I'd take a guess and say that as long as the PCI root port is exposed to the OS, a PCI re-scan will be enough to wake the USB chipset.
Disabling USB in BIOS only disables the emulation of classic PS2 keyboards and IDE storage so that old OSes or bootloaders without USB stacks can work with modern equipment. As soon as the OS kernel initializes the PCI bus, USB will work again - however they could go and remove the xHCI modules from the kernel and image.
Mullvad has a custom-built bare metal UEFI implementation based on coreboot, I assume stboot is an evolution of that, which means it takes as close as you can get to full responsibility for initialization of all system components like processor, chipset, Ethernet, USB, everything.
As a result they can absolutely disable USB entirely by never exposing those parts of the device tree to Linux.
x86 devices do not have device trees, and for ARM I'd take a guess and say that as long as the PCI root port is exposed to the OS, a PCI re-scan will be enough to wake the USB chipset.