diff --git a/hypervisor/arch/x86/guest/vm.c b/hypervisor/arch/x86/guest/vm.c
index 1a950a728..5b8672938 100644
--- a/hypervisor/arch/x86/guest/vm.c
+++ b/hypervisor/arch/x86/guest/vm.c
@@ -38,6 +38,7 @@
 #include <vgpio.h>
 #include <asm/rtcm.h>
 #include <asm/irq.h>
+#include <uart16550.h>
 
 /* Local variables */
 
@@ -354,13 +355,18 @@ static void deny_pdevs(struct acrn_vm *sos, struct acrn_vm_pci_dev_config *pci_d
 
 static void deny_hv_owned_devices(struct acrn_vm *sos)
 {
-	uint32_t i;
+	uint16_t pio_address;
+	uint32_t nbytes, i;
 
 	const struct pci_pdev **hv_owned = get_hv_owned_pdevs();
 
 	for (i = 0U; i < get_hv_owned_pdev_num(); i++) {
 		deny_pci_bar_access(sos, hv_owned[i]);
 	}
+
+	if (get_pio_dbg_uart_cfg(&pio_address, &nbytes)) {
+		deny_guest_pio_access(sos, pio_address, nbytes);
+	}
 }
 
 /**
@@ -435,8 +441,6 @@ static void prepare_sos_vm_memmap(struct acrn_vm *vm)
 		}
 	}
 
-	deny_hv_owned_devices(vm);
-
 	/* unmap AP trampoline code for security
 	 * This buffer is guaranteed to be page aligned.
 	 */
@@ -579,6 +583,10 @@ int32_t create_vm(uint16_t vm_id, uint64_t pcpu_bitmap, struct acrn_vm_config *v
 			vrtc_init(vm);
 		}
 
+		if (is_sos_vm(vm)) {
+			deny_hv_owned_devices(vm);
+		}
+
 		init_vpci(vm);
 		enable_iommu();
 
diff --git a/hypervisor/debug/uart16550.c b/hypervisor/debug/uart16550.c
index 2509e4b37..b2dacaf2f 100644
--- a/hypervisor/debug/uart16550.c
+++ b/hypervisor/debug/uart16550.c
@@ -276,3 +276,16 @@ bool is_pci_dbg_uart(union pci_bdf bdf_value)
 
 	return ret;
 }
+
+bool get_pio_dbg_uart_cfg(uint16_t *pio_address, uint32_t *nbytes)
+{
+	bool ret = false;
+
+	if (uart.enabled && (uart.type == PIO)) {
+		*pio_address = uart.port_address;
+		*nbytes = 8U;
+		ret = true;
+	}
+
+	return ret;
+}
diff --git a/hypervisor/include/debug/uart16550.h b/hypervisor/include/debug/uart16550.h
index 15ae7e966..c6d7ac088 100644
--- a/hypervisor/include/debug/uart16550.h
+++ b/hypervisor/include/debug/uart16550.h
@@ -139,5 +139,6 @@ char uart16550_getc(void);
 size_t uart16550_puts(const char *buf, uint32_t len);
 void uart16550_set_property(bool enabled, enum serial_dev_type uart_type, uint64_t base_addr);
 bool is_pci_dbg_uart(union pci_bdf bdf_value);
+bool get_pio_dbg_uart_cfg(uint16_t *pio_address, uint32_t *nbytes);
 
 #endif /* !UART16550_H */
diff --git a/hypervisor/release/console.c b/hypervisor/release/console.c
index 8db625463..7866bca06 100644
--- a/hypervisor/release/console.c
+++ b/hypervisor/release/console.c
@@ -27,7 +27,6 @@ void suspend_console(void) {}
 void resume_console(void) {}
 
 bool handle_dbg_cmd(__unused const char *cmd, __unused int32_t len) { return false; }
-bool is_pci_dbg_uart(__unused union pci_bdf bdf_value) { return false; }
 
 void shell_init(void) {}
 void shell_kick(void) {}
diff --git a/hypervisor/release/uart16550.c b/hypervisor/release/uart16550.c
index 852fde963..7608c8119 100644
--- a/hypervisor/release/uart16550.c
+++ b/hypervisor/release/uart16550.c
@@ -8,3 +8,9 @@
 #include <pci.h>
 
 void uart16550_init(__unused bool early_boot) {}
+
+bool is_pci_dbg_uart(__unused union pci_bdf bdf_value) { return false; }
+
+bool get_pio_dbg_uart_cfg(__unused uint64_t *pio_address, __unused uint64_t *nbytes) {
+	return false;
+}