diff --git a/src/libs/Cargo.lock b/src/libs/Cargo.lock
index 80b8c0e710..e5c342a673 100644
--- a/src/libs/Cargo.lock
+++ b/src/libs/Cargo.lock
@@ -701,6 +701,7 @@ dependencies = [
  "once_cell",
  "rand",
  "safe-path",
+ "serde",
  "serde_json",
  "serial_test",
  "slog",
@@ -1384,9 +1385,9 @@ checksum = "1c107b6f4780854c8b126e228ea8869f4d7b71260f962fefb57b996b8959ba6b"
 
 [[package]]
 name = "serde"
-version = "1.0.136"
+version = "1.0.147"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce31e24b01e1e524df96f1c2fdd054405f8d7376249a5110886fb4b658484789"
+checksum = "d193d69bae983fc11a79df82342761dfbf28a99fc8d203dca4c3c1b590948965"
 dependencies = [
  "serde_derive",
 ]
@@ -1423,9 +1424,9 @@ checksum = "794e44574226fc701e3be5c651feb7939038fc67fb73f6f4dd5c4ba90fd3be70"
 
 [[package]]
 name = "serde_derive"
-version = "1.0.136"
+version = "1.0.147"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08597e7152fcd306f41838ed3e37be9eaeed2b61c42e2117266a554fab4662f9"
+checksum = "4f1d362ca8fc9c3e3a7484440752472d68a6caa98f1ab81d99b5dfe517cec852"
 dependencies = [
  "proc-macro2",
  "quote",
diff --git a/src/libs/kata-sys-util/Cargo.toml b/src/libs/kata-sys-util/Cargo.toml
index 0e74c8fdca..62bb5d8007 100644
--- a/src/libs/kata-sys-util/Cargo.toml
+++ b/src/libs/kata-sys-util/Cargo.toml
@@ -21,6 +21,7 @@ lazy_static = "1.4.0"
 libc = "0.2.100"
 nix = "0.24.2"
 once_cell = "1.9.0"
+serde = { version = "1.0.138", features = ["derive"] }
 serde_json = "1.0.73"
 slog = "2.5.2"
 slog-scope = "4.4.0"
diff --git a/src/libs/kata-sys-util/src/protection.rs b/src/libs/kata-sys-util/src/protection.rs
index 178b0813ee..63f6182806 100644
--- a/src/libs/kata-sys-util/src/protection.rs
+++ b/src/libs/kata-sys-util/src/protection.rs
@@ -12,6 +12,7 @@ use std::fmt;
 use std::path::Path;
 use std::path::PathBuf;
 use thiserror::Error;
+use serde::{Deserialize, Serialize};
 
 #[cfg(any(target_arch = "s390x", target_arch = "powerpc64le"))]
 use nix::unistd::Uid;
@@ -19,14 +20,14 @@ use nix::unistd::Uid;
 #[cfg(target_arch = "x86_64")]
 use std::fs;
 
-#[derive(Debug, Clone, PartialEq, Eq, Default)]
+#[derive(Debug, Clone, PartialEq, Eq, Default, Serialize, Deserialize)]
 pub struct TDXDetails {
     pub major_version: u32,
     pub minor_version: u32,
 }
 
 #[allow(dead_code)]
-#[derive(Debug, Clone, PartialEq, Default)]
+#[derive(Debug, Clone, PartialEq, Default, Serialize, Deserialize)]
 pub enum GuestProtection {
     #[default]
     NoProtection,
diff --git a/src/runtime-rs/Cargo.lock b/src/runtime-rs/Cargo.lock
index 89d850781a..6ae9d503cb 100644
--- a/src/runtime-rs/Cargo.lock
+++ b/src/runtime-rs/Cargo.lock
@@ -1804,6 +1804,7 @@ dependencies = [
  "once_cell",
  "rand 0.8.5",
  "safe-path 0.1.0",
+ "serde",
  "serde_json",
  "slog",
  "slog-scope",
diff --git a/src/runtime-rs/crates/hypervisor/src/ch/inner.rs b/src/runtime-rs/crates/hypervisor/src/ch/inner.rs
index a4fb164f24..869a1200dc 100644
--- a/src/runtime-rs/crates/hypervisor/src/ch/inner.rs
+++ b/src/runtime-rs/crates/hypervisor/src/ch/inner.rs
@@ -147,10 +147,11 @@ impl Persist for CloudHypervisorInner {
             vm_path: self.vm_path.clone(),
             jailed: false,
             jailer_root: String::default(),
-            netns: None,
+            netns: self.netns.clone(),
             config: self.hypervisor_config(),
             run_dir: self.run_dir.clone(),
-            cached_block_devices: Default::default(),
+            guest_protection_to_use: self.guest_protection_to_use.clone(),
+
             ..Default::default()
         })
     }
@@ -160,16 +161,70 @@ impl Persist for CloudHypervisorInner {
         _hypervisor_args: Self::ConstructorArgs,
         hypervisor_state: Self::State,
     ) -> Result<Self> {
-        let ch = Self {
+        let (tx, rx) = channel(true);
+
+        let mut ch = Self {
             config: Some(hypervisor_state.config),
             state: VmmState::NotReady,
             id: hypervisor_state.id,
             vm_path: hypervisor_state.vm_path,
             run_dir: hypervisor_state.run_dir,
+            netns: hypervisor_state.netns,
+            guest_protection_to_use: hypervisor_state.guest_protection_to_use.clone(),
+
+            pending_devices: vec![],
+            device_ids: HashMap::<String, String>::new(),
+            tasks: None,
+            shutdown_tx: Some(tx),
+            shutdown_rx: Some(rx),
+            timeout_secs: CH_DEFAULT_TIMEOUT_SECS as i32,
+            jailer_root: String::default(),
+            ch_features: None,
 
             ..Default::default()
         };
+        ch._capabilities = ch.capabilities().await?;
 
         Ok(ch)
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use kata_sys_util::protection::TDXDetails;
+
+    #[actix_rt::test]
+    async fn test_save_clh() {
+        let mut clh = CloudHypervisorInner::new();
+        clh.id = String::from("123456");
+        clh.netns = Some(String::from("/var/run/netns/testnet"));
+        clh.vm_path = String::from("/opt/kata/bin/cloud-hypervisor");
+        clh.run_dir = String::from("/var/run/kata-containers/") + &clh.id;
+
+        let details = TDXDetails {
+            major_version: 1,
+            minor_version: 0,
+        };
+
+        clh.guest_protection_to_use = GuestProtection::Tdx(details);
+
+        let state = clh.save().await.unwrap();
+        assert_eq!(state.id, clh.id);
+        assert_eq!(state.netns, clh.netns);
+        assert_eq!(state.vm_path, clh.vm_path);
+        assert_eq!(state.run_dir, clh.run_dir);
+        assert_eq!(state.guest_protection_to_use, clh.guest_protection_to_use);
+        assert_eq!(state.jailed, false);
+        assert_eq!(state.hypervisor_type, HYPERVISOR_NAME_CH.to_string());
+
+        let clh = CloudHypervisorInner::restore((), state.clone())
+            .await
+            .unwrap();
+        assert_eq!(clh.id, state.id);
+        assert_eq!(clh.netns, state.netns);
+        assert_eq!(clh.vm_path, state.vm_path);
+        assert_eq!(clh.run_dir, state.run_dir);
+        assert_eq!(clh.guest_protection_to_use, state.guest_protection_to_use);
+    }
+}
diff --git a/src/runtime-rs/crates/hypervisor/src/hypervisor_persist.rs b/src/runtime-rs/crates/hypervisor/src/hypervisor_persist.rs
index 1ae231d834..9c617b3473 100644
--- a/src/runtime-rs/crates/hypervisor/src/hypervisor_persist.rs
+++ b/src/runtime-rs/crates/hypervisor/src/hypervisor_persist.rs
@@ -5,9 +5,9 @@
 //
 
 use crate::HypervisorConfig;
+use kata_sys_util::protection::GuestProtection;
 use serde::{Deserialize, Serialize};
 use std::collections::HashSet;
-
 #[derive(Serialize, Deserialize, Default, Clone, Debug)]
 pub struct HypervisorState {
     // Type of hypervisor, E.g. dragonball/qemu/firecracker/acrn.
@@ -34,4 +34,6 @@ pub struct HypervisorState {
     pub cached_block_devices: HashSet<String>,
     pub virtiofs_daemon_pid: i32,
     pub passfd_listener_port: Option<u32>,
+    /// guest protection
+    pub guest_protection_to_use: GuestProtection,
 }