diff --git a/Cargo.toml b/Cargo.toml
index 3277768c781c7a13bf5f264901b451ba2dc7b429..1af042fe2c6c95ae4da442eb75902ff731dadbb5 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -15,6 +15,7 @@ machine_manager = { path = "machine_manager" }
 util = { path = "util" }
 trace = { path = "trace" }
 hisysevent = { path = "hisysevent" }
+hypervisor = { path = "hypervisor" }
 
 [workspace]
 members = [
@@ -44,6 +45,7 @@ trace_to_logger = ["trace/trace_to_logger"]
 trace_to_ftrace = ["trace/trace_to_ftrace"]
 trace_to_hitrace = ["trace/trace_to_hitrace"]
 hisysevent = ["hisysevent/hisysevent"]
+vfio = ["machine/vfio_device", "hypervisor/vfio_device"]
 
 [package.metadata.rpm.cargo]
 buildflags = ["--release"]
diff --git a/hypervisor/Cargo.toml b/hypervisor/Cargo.toml
index ccdf1305e93d7b6dc0c66dc8c18a6143943e8b1e..95c92558e0af8d902fa4c3de0285688090f16938 100644
--- a/hypervisor/Cargo.toml
+++ b/hypervisor/Cargo.toml
@@ -21,3 +21,7 @@ migration = { path = "../migration" }
 migration_derive = { path = "../migration/migration_derive" }
 util = { path = "../util" }
 trace = { path = "../trace" }
+
+[features]
+default = []
+vfio_device = []
diff --git a/hypervisor/src/kvm/mod.rs b/hypervisor/src/kvm/mod.rs
index d8a8da8f69f25104335fa9e4dfd26d39ffa0a578..8c295e00c706477e699a836da2e1d052b4f48725 100644
--- a/hypervisor/src/kvm/mod.rs
+++ b/hypervisor/src/kvm/mod.rs
@@ -36,9 +36,11 @@ use anyhow::anyhow;
 use anyhow::{bail, Context, Result};
 use kvm_bindings::kvm_userspace_memory_region as KvmMemSlot;
 use kvm_bindings::*;
+#[cfg(feature = "vfio_device")]
+use kvm_ioctls::DeviceFd;
 #[cfg(not(test))]
 use kvm_ioctls::VcpuExit;
-use kvm_ioctls::{Cap, DeviceFd, Kvm, VcpuFd, VmFd};
+use kvm_ioctls::{Cap, Kvm, VcpuFd, VmFd};
 use libc::{c_int, c_void, siginfo_t};
 use log::{error, info, warn};
 use vmm_sys_util::{
@@ -259,6 +261,7 @@ impl HypervisorOps for KvmHypervisor {
         })
     }
 
+    #[cfg(feature = "vfio_device")]
     fn create_vfio_device(&self) -> Option<DeviceFd> {
         let mut device = kvm_create_device {
             type_: kvm_device_type_KVM_DEV_TYPE_VFIO,
diff --git a/hypervisor/src/lib.rs b/hypervisor/src/lib.rs
index 25fc90ef67066a466a1ed8269babfedf8c9bd104..a156d9af65dc93274c7c0b30f1bd020ca5c818b9 100644
--- a/hypervisor/src/lib.rs
+++ b/hypervisor/src/lib.rs
@@ -22,6 +22,7 @@ use std::any::Any;
 use std::sync::Arc;
 
 use anyhow::Result;
+#[cfg(feature = "vfio_device")]
 use kvm_ioctls::DeviceFd;
 
 use address_space::AddressSpace;
@@ -56,5 +57,6 @@ pub trait HypervisorOps: Send + Sync + Any {
 
     fn create_irq_manager(&mut self) -> Result<IrqManager>;
 
+    #[cfg(feature = "vfio_device")]
     fn create_vfio_device(&self) -> Option<DeviceFd>;
 }
diff --git a/hypervisor/src/test/mod.rs b/hypervisor/src/test/mod.rs
index 7120bb9e6229c2a403a9da715d7b23dde3745a48..41504d827231ceb34e2b3747bfe272cea212dbae 100644
--- a/hypervisor/src/test/mod.rs
+++ b/hypervisor/src/test/mod.rs
@@ -21,6 +21,7 @@ use std::thread;
 use std::time::Duration;
 
 use anyhow::{anyhow, Context, Result};
+#[cfg(feature = "vfio_device")]
 use kvm_ioctls::DeviceFd;
 use log::info;
 use vmm_sys_util::eventfd::EventFd;
@@ -115,6 +116,7 @@ impl HypervisorOps for TestHypervisor {
         })
     }
 
+    #[cfg(feature = "vfio_device")]
     fn create_vfio_device(&self) -> Option<DeviceFd> {
         None
     }
diff --git a/machine/Cargo.toml b/machine/Cargo.toml
index e5d9253abf4e194e3586f723dc99f07911adec74..ce455c719603579f490e48d73b8e29e5acdc8b1c 100644
--- a/machine/Cargo.toml
+++ b/machine/Cargo.toml
@@ -24,7 +24,7 @@ migration = { path = "../migration" }
 migration_derive = { path = "../migration/migration_derive" }
 util = { path = "../util" }
 virtio = { path = "../virtio" }
-vfio = { path = "../vfio" }
+vfio = { path = "../vfio" , optional = true }
 block_backend = { path = "../block_backend" }
 ui = { path = "../ui" }
 trace = { path = "../trace" }
@@ -50,3 +50,4 @@ vnc_auth = ["vnc"]
 ohui_srv = ["windows_emu_pid", "ui/ohui_srv", "machine_manager/ohui_srv", "virtio/ohui_srv"]
 ramfb = ["devices/ramfb", "machine_manager/ramfb"]
 virtio_gpu = ["virtio/virtio_gpu", "machine_manager/virtio_gpu"]
+vfio_device = ["vfio"]
diff --git a/machine/src/lib.rs b/machine/src/lib.rs
index fbb6f14eba6bceb1a019c27fd3f06cb9c649702b..6b2fe0fae6891ed08d46b2310b5bb8e3c95a4309 100644
--- a/machine/src/lib.rs
+++ b/machine/src/lib.rs
@@ -99,6 +99,7 @@ use util::loop_context::{
     gen_delete_notifiers, EventNotifier, NotifierCallback, NotifierOperation,
 };
 use util::seccomp::{BpfRule, SeccompOpt, SyscallFilter};
+#[cfg(feature = "vfio_device")]
 use vfio::{vfio_register_pcidevops_type, VfioConfig, VfioDevice, VfioPciDevice, KVM_DEVICE_FD};
 #[cfg(all(target_env = "ohos", feature = "ohui_srv"))]
 use virtio::VirtioDeviceQuirk;
@@ -1384,7 +1385,7 @@ pub trait MachineOps: MachineLifecycle {
             .with_context(|| "Failed to add vhost user block device")?;
         Ok(())
     }
-
+    #[cfg(feature = "vfio_device")]
     fn add_vfio_device(&mut self, cfg_args: &str, hotplug: bool) -> Result<()> {
         let hypervisor = self.get_hypervisor();
         let locked_hypervisor = hypervisor.lock().unwrap();
@@ -1898,12 +1899,13 @@ pub trait MachineOps: MachineLifecycle {
                 ("virtio-serial-device" | "virtio-serial-pci", add_virtio_serial, vm_config, cfg_args),
                 ("virtconsole" | "virtserialport", add_virtio_serial_port, vm_config, cfg_args),
                 ("virtio-rng-device" | "virtio-rng-pci", add_virtio_rng, vm_config, cfg_args),
-                ("vfio-pci", add_vfio_device, cfg_args, false),
                 ("vhost-user-blk-device",add_vhost_user_blk_device, vm_config, cfg_args),
                 ("vhost-user-blk-pci",add_vhost_user_blk_pci, vm_config, cfg_args, false),
                 ("vhost-user-fs-pci" | "vhost-user-fs-device", add_virtio_fs, vm_config, cfg_args),
                 ("nec-usb-xhci", add_usb_xhci, cfg_args),
                 ("usb-kbd" | "usb-storage" | "usb-uas" | "usb-tablet" | "usb-camera" | "usb-host", add_usb_device,  vm_config, cfg_args);
+                #[cfg(feature = "vfio_device")]
+                ("vfio-pci", add_vfio_device, cfg_args, false),
                 #[cfg(feature = "virtio_gpu")]
                 ("virtio-gpu-pci", add_virtio_pci_gpu, cfg_args),
                 #[cfg(feature = "ramfb")]
@@ -2461,6 +2463,7 @@ pub fn type_init() -> Result<()> {
 
     // Register all pci devices type.
     machine_register_pcidevops_type()?;
+    #[cfg(feature = "vfio_device")]
     vfio_register_pcidevops_type()?;
     virtio_register_pcidevops_type()?;
     devices_register_pcidevops_type()?;
diff --git a/machine/src/standard_common/mod.rs b/machine/src/standard_common/mod.rs
index 4af265d9a85155383b591372491986d94ed57635..9fd03245f0a4f59961576b94e34e2d881a39b288 100644
--- a/machine/src/standard_common/mod.rs
+++ b/machine/src/standard_common/mod.rs
@@ -1252,6 +1252,7 @@ impl DeviceInterface for StdMachine {
                     );
                 }
             }
+            #[cfg(feature = "vfio_device")]
             "vfio-pci" => {
                 let cfg_args = locked_vmconfig.add_device_config(args.as_ref());
                 if let Err(e) = self.add_vfio_device(&cfg_args, true) {
diff --git a/machine/src/standard_common/syscall.rs b/machine/src/standard_common/syscall.rs
index d665f314e4fbfaf8b48c992dec6ff79b5513d9e7..30e1998ea25c40bb9052044fe6abea0b05fc01ce 100644
--- a/machine/src/standard_common/syscall.rs
+++ b/machine/src/standard_common/syscall.rs
@@ -23,6 +23,7 @@ use util::v4l2::{
     VIDIOC_G_FMT, VIDIOC_QBUF, VIDIOC_QUERYBUF, VIDIOC_QUERYCAP, VIDIOC_REQBUFS, VIDIOC_STREAMOFF,
     VIDIOC_STREAMON, VIDIOC_S_FMT, VIDIOC_S_PARM,
 };
+#[cfg(feature = "vfio_device")]
 use vfio::{
     VFIO_CHECK_EXTENSION, VFIO_DEVICE_GET_INFO, VFIO_DEVICE_GET_REGION_INFO, VFIO_DEVICE_RESET,
     VFIO_DEVICE_SET_IRQS, VFIO_GET_API_VERSION, VFIO_GROUP_GET_DEVICE_FD, VFIO_GROUP_GET_STATUS,
@@ -226,6 +227,18 @@ fn ioctl_allow_list() -> BpfRule {
         .add_constraint(SeccompCmpOpt::Eq, 1, TUNSETOFFLOAD() as u32)
         .add_constraint(SeccompCmpOpt::Eq, 1, TUNSETVNETHDRSZ() as u32)
         .add_constraint(SeccompCmpOpt::Eq, 1, TUNSETQUEUE() as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_GSI_ROUTING() as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_IRQFD() as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_CREATE_DEVICE() as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_API_VERSION() as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_MP_STATE() as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_VCPU_EVENTS() as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_DIRTY_LOG() as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_MP_STATE() as u32)
+        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_VCPU_EVENTS() as u32);
+
+    #[cfg(feature = "vfio_device")]
+    let bpf_rule = bpf_rule
         .add_constraint(SeccompCmpOpt::Eq, 1, VFIO_DEVICE_SET_IRQS() as u32)
         .add_constraint(SeccompCmpOpt::Eq, 1, VFIO_GROUP_GET_STATUS() as u32)
         .add_constraint(SeccompCmpOpt::Eq, 1, VFIO_GET_API_VERSION() as u32)
@@ -237,16 +250,7 @@ fn ioctl_allow_list() -> BpfRule {
         .add_constraint(SeccompCmpOpt::Eq, 1, VFIO_GROUP_GET_DEVICE_FD() as u32)
         .add_constraint(SeccompCmpOpt::Eq, 1, VFIO_DEVICE_GET_INFO() as u32)
         .add_constraint(SeccompCmpOpt::Eq, 1, VFIO_DEVICE_RESET() as u32)
-        .add_constraint(SeccompCmpOpt::Eq, 1, VFIO_DEVICE_GET_REGION_INFO() as u32)
-        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_GSI_ROUTING() as u32)
-        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_IRQFD() as u32)
-        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_CREATE_DEVICE() as u32)
-        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_API_VERSION() as u32)
-        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_MP_STATE() as u32)
-        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_VCPU_EVENTS() as u32)
-        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_GET_DIRTY_LOG() as u32)
-        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_MP_STATE() as u32)
-        .add_constraint(SeccompCmpOpt::Eq, 1, KVM_SET_VCPU_EVENTS() as u32);
+        .add_constraint(SeccompCmpOpt::Eq, 1, VFIO_DEVICE_GET_REGION_INFO() as u32);
 
     #[cfg(feature = "usb_camera_v4l2")]
     let bpf_rule = bpf_rule