diff --git a/virtcontainers/device/config/config.go b/virtcontainers/device/config/config.go
index 3a884470a7..88d844c752 100644
--- a/virtcontainers/device/config/config.go
+++ b/virtcontainers/device/config/config.go
@@ -153,6 +153,9 @@ type BlockDrive struct {
 
 	// ShareRW enables multiple qemu instances to share the File
 	ShareRW bool
+
+	// ReadOnly sets the device file readonly
+	ReadOnly bool
 }
 
 // VFIODeviceType indicates VFIO device type
diff --git a/virtcontainers/qemu_arch_base.go b/virtcontainers/qemu_arch_base.go
index 9eff2c7405..5c9e1fb2eb 100644
--- a/virtcontainers/qemu_arch_base.go
+++ b/virtcontainers/qemu_arch_base.go
@@ -343,10 +343,11 @@ func genericImage(path string) (config.BlockDrive, error) {
 	id := utils.MakeNameID("image", hex.EncodeToString(randBytes), maxDevIDSize)
 
 	drive := config.BlockDrive{
-		File:    path,
-		Format:  "raw",
-		ID:      id,
-		ShareRW: true,
+		File:     path,
+		Format:   "raw",
+		ID:       id,
+		ShareRW:  true,
+		ReadOnly: true,
 	}
 
 	return drive, nil
@@ -603,6 +604,7 @@ func genericBlockDevice(drive config.BlockDrive, nestedRun bool) (govmmQemu.Bloc
 		Interface:     "none",
 		DisableModern: nestedRun,
 		ShareRW:       drive.ShareRW,
+		ReadOnly:      drive.ReadOnly,
 	}, nil
 }
 
diff --git a/virtcontainers/qemu_arch_base_test.go b/virtcontainers/qemu_arch_base_test.go
index e95dd85ed9..e3edad17de 100644
--- a/virtcontainers/qemu_arch_base_test.go
+++ b/virtcontainers/qemu_arch_base_test.go
@@ -308,6 +308,7 @@ func TestQemuArchBaseAppendImage(t *testing.T) {
 			Format:    "raw",
 			Interface: "none",
 			ShareRW:   true,
+			ReadOnly:  true,
 		},
 	}