In the physical isolation setup, they recommend running the Gateway on bare metal but the Workstation in a VM to hide hardware serial numbers. Makes sense, and I'm pretty sure Qubes touts that as a feature somewhere in their documentation.