I’m really new to Qubes and have been looking for a while with painly efforts to enable my built-in bluetooth USB device (Intel Corp. Bluetooth 9460/9560 JfP) on my laptop (ROG Zephyrus GX501GI). My templates are based on Debian11 and the built-in USB keyboard device of my laptop is on the same bus as my bluetooth device.
First of all, I’m fully aware of the risk implications that this would cause and I am fine with it. The only mouse I’ve available is my bluetooth mouse and I really hate my touchpad at the moment.
Could someone provide me with a step-on-step guide on how to do it? The blueman manager in dom0 which I’ve updated and enabled previously doesn’t connect with BlueZ, even after enabling bluetooth on the terminal.
My guess was to do it through my sys-usb, but I don’t know how to do this.
Did you ever get this to work? I found the same thing when I installed blueman to attempt to use a bluetooth mouse. I have no desire for bluetooth really except for the mouse, but even using the included USB dongle will not work properly. (oddly it partially works…meaning that I can connect it to a single VM and then I have an invisible mouse cursor that can click and do things, aside from the dom0 provided one). I suppose that is likely a matter of dom0 not recognizing the new pointing devices as THE mouse, but instead as something other. If anyone knows how to deal with that, then that would also be tantamount to fixing my problem, and maybe more secure than normal bluetooth since the dongle would only be used when I am actively mousing? not sure on the implications of that.
Regardless, I know bluez is installed in my fedora template, but it seems that the bluetooth.service stays dead and will not start when I tell it to systemctl enable bluetooth.service
followed by systemctl start bluetooth.service… this seems to be the same issue you were having, if I read correctly.
Are you sure, it is a Bluetooth mouse? - or is it a wireless mouse?
The basic difference between a wireless (RF) mouse vs. a Bluetooth mouse is that RF mice need a USB dongle to connect, while a Bluetooth mouse uses a transmitter that communicates and connects with the Bluetooth receiver built into your computer .
If you want to use the wireless mouse in dom0, you can do something like:
I have debian as default template.
I installed (sudo apt install blueman -y) blueman within debian template.
I have blank tray icon(blueman-tray) to manage bluetooth now.
I’ve paired my mouse successfully, but keyboard doesn’t connect - it just says “failed to pair”.
When pairing the keyboard, I don’t get any visual output to type on the keyboard as it with other OS.
Also, when I restart my computer, the tray-icon sometimes appear and sometimes don’t.
Also, when I switch computers with same bluetooth device, I keep getting the popup window saying: “Operation execution”, and then “source”(sys-net) and “operation”(dom0) to confirm.
I tried to make it as “trusted”, but it didn’t help.
You are so kind to post so quickly. This addition to the qubes.InputMouse policy worked for me. As for whether this is a wireless mouse or a bluetooth mouse, it is both. I understand what you are saying; I am using a kensington trackball that supports Bluetooth and also the little wireless dongle. I am happy having it work wither way, though certainly native bluetooth would be slightly nicer because then I would have no dongle hanging out in my USB A port.
I’d love any ideas on actually supporting a Bluetooth Low Energy mouse, but I am fairly happy with the dongle solution too, as it is quite close in my use case.
One other odd question for everyone: Logitech just released a new type of dongle (BOLT, or something like that) that appears to support more robust encryption. Any ideas on the security implications of that sort of setup vs Bluetooth Low Energy?
My thought would be that the Operation Execution window you are getting is the Qubes.MouseInput policy asking each time you try to activate the mouse/keyboard. In order to change that, you would likely need to edit your policy file as ChrisA suggested above for me, except you would need to substitute “allow” where it says “ask”. This is simply my hypothesis, mind you. I am not an expert on this OS by any stretch yet :-). I edited my policy file with the text editor “nano”, but the echo method ChrisA suggested should overwrite and replace the file that is currently there, I believe (someone please correct me if I am wrong!).
@grayman One other thing I should note as I have looked at solutions on these forums: you will probably get some pushback on supporting a bluetooth keyboard because of the security implications of that. A bluetooth mouse, to my understanding, is fairly safe because it has no ability to “see” or sense anything useful. A bluetooth keyboard, on the other hand, receives all your keystrokes, up to and including passwords you may type, so a security breach there is a critical one. I would also advise against it on those grounds. However, I also believe that your computer is yours as is what you choose to do with it, so just be aware of that (fairly huge, though hopefully unlikely) danger. Each person has a different life and different needs, so I would certainly help you out there if I knew how (once I had given my warning), but I can’t even get the bluetooth service to run on my sys-net (fedora based) so far…
You’re correct, thanks. Can you share where did you find this info in the docs, I couldn’t find it.
However, I still need to redo the whole pairing process even if I “trust” the device and use the “allow” as stated above.
I assume it’s due to the nature of the sys-* being disposable? Are there any practical solutions to this, please?
Frankly, I didn’t find where the docs explicitly mentioned this info. I got this info based on my observing of the policy examples in the docs.
I think so. You may reference those posts that use a disposable sys-net and want to keep wifi passwords. You can also try finding where blueman stores its configurations, thus the confs can be preserved across disposable reboots.
I think I have figured out how to resolve your issue there, by playing around with my system. It is definitely about the issue of sys-* being AppVMs. So what I was able to do to permanently pair a bluetooth mouse is to pair it in the TemplateVM itself. Obviously, do this cautiously as the TemplateVM is meant to be quite trusted in your system. You could even clone your template VM (fedora or debian) and then use the cloned template to make the needed modification and base your sys-USB on that one if you care to be a bit more secure.
Either way, I had to temporarily connect my template VM to my USB controllers and bluetooth card (which requires that you set the template as HVM. Be sure to change it back after you are done!). Then boot the Template up. You may have an issue of an error where the USB controller cannot reset by force, in which case you can check the box for each controller device to allow it to boot without reset. This would be done most safely as soon as you first start your computer so it is less likely you have any compromised hardware, but can be done anytime technically. Once you have booted, run the Bluetooth Adapter software (which you can enable by selecting that App in the VM Applications menu), this will ask if you should boot bluetooth at startup. You will want to say “yes”, I expect. Then run the Bluetooth manager (Blueman) and pair your device. Then trust it. Make sure it works, but then you should be able to shut down the template, remove the hardware connections and turn it back into a PVH Machine. Then reboot Sys-USB and/or sys-net and your bluetooth should work.