diff --git a/virtcontainers/container.go b/virtcontainers/container.go
index 4dad304171..55440e75ca 100644
--- a/virtcontainers/container.go
+++ b/virtcontainers/container.go
@@ -680,6 +680,7 @@ func (c *Container) createBlockDevices() error {
 				DevType:       "b",
 				Major:         int64(unix.Major(stat.Rdev)),
 				Minor:         int64(unix.Minor(stat.Rdev)),
+				ReadOnly:      m.ReadOnly,
 			}
 			// check whether source can be used as a pmem device
 		} else if di, err = config.PmemDeviceInfo(m.Source, m.Destination); err != nil {
diff --git a/virtcontainers/device/config/config.go b/virtcontainers/device/config/config.go
index bcd0d62695..ef3a9f523d 100644
--- a/virtcontainers/device/config/config.go
+++ b/virtcontainers/device/config/config.go
@@ -115,6 +115,9 @@ type DeviceInfo struct {
 	// for a nvdimm device in the guest.
 	Pmem bool
 
+	// If applicable, should this device be considered RO
+	ReadOnly bool
+
 	// ColdPlug specifies whether the device must be cold plugged (true)
 	// or hot plugged (false).
 	ColdPlug bool
diff --git a/virtcontainers/device/drivers/block.go b/virtcontainers/device/drivers/block.go
index 31010a4068..6bb7f4c6db 100644
--- a/virtcontainers/device/drivers/block.go
+++ b/virtcontainers/device/drivers/block.go
@@ -61,11 +61,12 @@ func (device *BlockDevice) Attach(devReceiver api.DeviceReceiver) (err error) {
 	}
 
 	drive := &config.BlockDrive{
-		File:   device.DeviceInfo.HostPath,
-		Format: "raw",
-		ID:     utils.MakeNameID("drive", device.DeviceInfo.ID, maxDevIDSize),
-		Index:  index,
-		Pmem:   device.DeviceInfo.Pmem,
+		File:     device.DeviceInfo.HostPath,
+		Format:   "raw",
+		ID:       utils.MakeNameID("drive", device.DeviceInfo.ID, maxDevIDSize),
+		Index:    index,
+		Pmem:     device.DeviceInfo.Pmem,
+		ReadOnly: device.DeviceInfo.ReadOnly,
 	}
 
 	if fs, ok := device.DeviceInfo.DriverOptions["fstype"]; ok {
diff --git a/virtcontainers/qemu.go b/virtcontainers/qemu.go
index 4328a39441..95afc59b66 100644
--- a/virtcontainers/qemu.go
+++ b/virtcontainers/qemu.go
@@ -1113,9 +1113,9 @@ func (q *qemu) hotplugAddBlockDevice(drive *config.BlockDrive, op operation, dev
 	}
 
 	if q.config.BlockDeviceCacheSet {
-		err = q.qmpMonitorCh.qmp.ExecuteBlockdevAddWithCache(q.qmpMonitorCh.ctx, drive.File, drive.ID, q.config.BlockDeviceCacheDirect, q.config.BlockDeviceCacheNoflush, false)
+		err = q.qmpMonitorCh.qmp.ExecuteBlockdevAddWithCache(q.qmpMonitorCh.ctx, drive.File, drive.ID, q.config.BlockDeviceCacheDirect, q.config.BlockDeviceCacheNoflush, drive.ReadOnly)
 	} else {
-		err = q.qmpMonitorCh.qmp.ExecuteBlockdevAdd(q.qmpMonitorCh.ctx, drive.File, drive.ID, false)
+		err = q.qmpMonitorCh.qmp.ExecuteBlockdevAdd(q.qmpMonitorCh.ctx, drive.File, drive.ID, drive.ReadOnly)
 	}
 	if err != nil {
 		return err