diff --git a/kata-containers.spec b/kata-containers.spec
index b825541..172a6f1 100644
--- a/kata-containers.spec
+++ b/kata-containers.spec
@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 
 %define VERSION 2.1.0
-%define RELEASE 31
+%define RELEASE 32
 
 Name:           kata-containers
 Version:        %{VERSION}
@@ -109,6 +109,12 @@ strip %{buildroot}/usr/bin/containerd-shim-kata-v2
 %doc
 
 %changelog
+* Mon Mar 6 2023 zhukeqian <zhukeqian1@huawei.com> - 2.1.0-32
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:append readonly option when get pflash cmdline for stratovirt runtime
+
 * Thu Mar 02 2023 Vanient<xiadanni1@huawei.com> - 2.1.0-31
 - Type:bugfix
 - CVE:NA
@@ -145,7 +151,7 @@ strip %{buildroot}/usr/bin/containerd-shim-kata-v2
 - SUG:NA
 - DESC:fix startup failure that adding more than 16 root port devices in stratovirt
 
-* Tues Mar 2 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-25
+* Wed Mar 2 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-25
 - Type:feature
 - ID:NA
 - SUG:NA
@@ -163,13 +169,13 @@ strip %{buildroot}/usr/bin/containerd-shim-kata-v2
 - SUG:NA
 - DESC:add the stratovirt standardVM sandbox type to kata container
 
-* Thur Jan 13 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-22
+* Thu Jan 13 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-22
 - Type:feature
 - ID:NA
 - SUG:NA
 - DESC:refactor hypervisor type `stratovirt` and its methods
 
-* Tues Jan 11 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-21
+* Tue Jan 11 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-21
 - Type:feature
 - ID:NA
 - SUG:NA
@@ -235,7 +241,7 @@ strip %{buildroot}/usr/bin/containerd-shim-kata-v2
 - SUG:NA
 - DESC:fix umount container rootfs dir return invalid argument error
 
-* Fri Nov 24 2021 jikui <jikui2@huawei.com> - 2.1.0-10
+* Wed Nov 24 2021 jikui <jikui2@huawei.com> - 2.1.0-10
 - Type:bugfix
 - ID:NA
 - SUG:NA
@@ -247,19 +253,19 @@ strip %{buildroot}/usr/bin/containerd-shim-kata-v2
 - SUG:NA
 - DESC:modify kernel and image path in configuration.toml
 
-* Tue Oct 16 2021 jikui <jikui2@huawei.com> - 2.1.0-8
+* Sat Oct 16 2021 jikui <jikui2@huawei.com> - 2.1.0-8
 - Type:bugfix
 - ID:NA
 - SUG:NA
 - DESC:keep the qemu process name same as the configured path
 
-* Mon Oct 15 2021 jikui <jikui2@huawei.com> - 2.1.0-7
+* Fri Oct 15 2021 jikui <jikui2@huawei.com> - 2.1.0-7
 - Type:bugfix
 - ID:NA
 - SUG:NA
 - DESC:fix kata-runtime skip read lines in /proc/mounts
 
-* Fri Oct 5 2021 jikui <jikui2@huawei.com> - 2.1.0-6
+* Tue Oct 5 2021 jikui <jikui2@huawei.com> - 2.1.0-6
 - Type:bugfix
 - ID:NA
 - SUG:NA
diff --git a/patches/0034-stratovirt-Append-readonly-option-when-get-pflash-cm.patch b/patches/0034-stratovirt-Append-readonly-option-when-get-pflash-cm.patch
new file mode 100644
index 0000000..419152e
--- /dev/null
+++ b/patches/0034-stratovirt-Append-readonly-option-when-get-pflash-cm.patch
@@ -0,0 +1,39 @@
+From 59cf9bfb95386f123190eff58d50e99ec1ec5ea7 Mon Sep 17 00:00:00 2001
+From: Keqian Zhu <zhukeqian1@huawei.com>
+Date: Tue, 20 Dec 2022 14:14:46 +0800
+Subject: [PATCH] stratovirt: Append readonly option when get pflash cmdline
+
+All Stratovirt VM shares the same pflash file by default, and file can only be
+shared readonly for safety.
+
+Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
+---
+ src/runtime/virtcontainers/stratovirt.go | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/runtime/virtcontainers/stratovirt.go b/src/runtime/virtcontainers/stratovirt.go
+index 98a702a..7b01c76 100644
+--- a/src/runtime/virtcontainers/stratovirt.go
++++ b/src/runtime/virtcontainers/stratovirt.go
+@@ -661,15 +661,15 @@ func (s *stratovirt) getKernelParams(machineType string, initrdPath string) (str
+ func (s *stratovirt) getPFlash(machineType string) ([]string, error) {
+ 	var PFlash []string
+ 	if s.config.FirmwarePath != "" {
+-		PFlash = append(PFlash, fmt.Sprintf("file=%s,if=pflash,unit=0", s.config.FirmwarePath))
++		PFlash = append(PFlash, fmt.Sprintf("file=%s,if=pflash,unit=0,readonly=true", s.config.FirmwarePath))
+ 		return PFlash, nil
+ 	}
+ 
+ 	switch machineType {
+ 	case MachineTypeQ35:
+-		PFlash = append(PFlash, fmt.Sprintf("file=%s,if=pflash,unit=0", Q35PFlashCode))
++		PFlash = append(PFlash, fmt.Sprintf("file=%s,if=pflash,unit=0,readonly=true", Q35PFlashCode))
+ 	case MachineTypeVirt:
+-		PFlash = append(PFlash, fmt.Sprintf("file=%s,if=pflash,unit=0", VirtPFlashCode))
++		PFlash = append(PFlash, fmt.Sprintf("file=%s,if=pflash,unit=0,readonly=true", VirtPFlashCode))
+ 	case MachineTypeMicrovm:
+ 		return nil, nil
+ 	default:
+-- 
+2.33.0
+
diff --git a/series.conf b/series.conf
index 45bf63e..3cd4447 100644
--- a/series.conf
+++ b/series.conf
@@ -31,3 +31,4 @@
 0031-add-explicit-on-after-kernel_irqchip.patch
 0032-qmp-Don-t-use-deprecated-props-field-for-object-add.patch
 0033-optimize-compile-options.patch
+0034-stratovirt-Append-readonly-option-when-get-pflash-cm.patch