As described at “Report picks holes in the Linux kernel release signing process” at The Register it seems hardware keys are not mandated and where they are being used they do not provide enough protection:
…the Linux Foundation recommends that kernel developers use smart cards, specifically Nitrokeys, to secure their private key material…[however]…Linux Foundation-issued Nitrokeys do not require users to perform any physical actions when using smart card functions.
The report itself at OSTIF recommends:
…mandating the use of smart card devices that require physical touch to validate each smart card operation.
The Foundation responded in the report:
…because the Yubikey with touch activation is not open source, it is not possible to use for critical infrastructure security.
Seems like OnlyKey could be ideal for them?