diff --git a/attestation/rim_ref/src/gen_rim_ref.c b/attestation/rim_ref/src/gen_rim_ref.c
index d22139a6caf15e4a6e6b8dd1c4956ed13d5cb31e..4da40ef0d734c4a41c26ddd3d9d6b9061303f9d3 100644
--- a/attestation/rim_ref/src/gen_rim_ref.c
+++ b/attestation/rim_ref/src/gen_rim_ref.c
@@ -717,7 +717,7 @@ static void print_help(const char *name)
     printf("Generate rim reference value, support two three types:\n");
     printf("(a) direct kernel boot without firmware: -k -d [-i] -v -s -m\n");
     printf("(b) firmware-only boot                 : -f -d -v -s -m\n");
-    printf("(c) confidential container boot        : -c -p\n\n");
+    printf("(c) confidential container boot        : -c -p -s -m\n\n");
     printf("Options:\n");
     printf("\t-k/--kernel    kernel_path            :     path to kernel image\n");
     printf("\t-d/--dtb       dtb_path               :     path to device tree dtb file\n");
diff --git "a/kata-v3.15.0/doc/\346\234\272\345\257\206\345\256\271\345\231\250\346\224\257\346\214\201SRIOV.md" "b/kata-v3.15.0/doc/\346\234\272\345\257\206\345\256\271\345\231\250\346\224\257\346\214\201SRIOV.md"
index 3d8f46d64e0d8103119f9d924fd624c69da932a6..f572ca5541311240d4b74bc279fdeb493aaf3307 100644
--- "a/kata-v3.15.0/doc/\346\234\272\345\257\206\345\256\271\345\231\250\346\224\257\346\214\201SRIOV.md"
+++ "b/kata-v3.15.0/doc/\346\234\272\345\257\206\345\256\271\345\231\250\346\224\257\346\214\201SRIOV.md"
@@ -124,7 +124,7 @@ spec:
     securityContext:
       privileged: true
     command: ["sh", "-c"]
-    args: ["ip link set eth1 up && ip addr add 192.168.100.90/24 dev eth1 && ip route replace default via 192.168.100.1"]
+    args: ["ip link set eth1 up && ip addr add 192.168.100.90/24 dev eth1"]
   containers:
   - name: box-1
     image: registry.hw.com:5000/busybox:latest
@@ -169,4 +169,4 @@ spec:
     - sh
     tty: true
 ```
-6）启动机密容器，容器根目录下新增`pcipci_disk`目录，即直通磁盘的挂载点，可直接读写。
\ No newline at end of file
+6）启动机密容器，容器根目录下新增`pcipci_disk`目录，即直通磁盘的挂载点，可直接读写。
diff --git a/kata-v3.15.0/kata-containers.patch b/kata-v3.15.0/kata-containers.patch
index 2addcc489ffcec13d66fb945dd218201cdfe48a1..6d4c8a610d397bca3f6378c2ba6b094e97f50658 100644
--- a/kata-v3.15.0/kata-containers.patch
+++ b/kata-v3.15.0/kata-containers.patch
@@ -1,19 +1,20 @@
-From 3dd973067cdc62f38a9513fb5e957eac5b77bd21 Mon Sep 17 00:00:00 2001
+From 27012c4c79c4b1ff09e86a324955ce241fd32b48 Mon Sep 17 00:00:00 2001
 From: fuju <fuju1@huawei.com>
-Date: Wed, 18 Jun 2025 06:03:36 -0400
-Subject: [PATCH] Support VirtCCA
+Date: Mon, 11 Aug 2025 09:57:42 -0400
+Subject: [PATCH 1/2] Support VirtCCA
 
 ---
  src/agent/Cargo.toml                               |   2 +-
+ src/agent/src/device/mod.rs                        |   5 +-
  src/runtime-rs/arch/aarch64-options.mk             |   1 +
  src/runtime/Makefile                               |  22 +
  src/runtime/arch/arm64-options.mk                  |   2 +
- .../config/configuration-qemu-virtcca.toml.in      | 677 +++++++++++++++++++++
+ .../config/configuration-qemu-virtcca.toml.in      | 684 +++++++++++++++++++++
  src/runtime/pkg/govmm/qemu/qemu.go                 |  10 +
  src/runtime/virtcontainers/hypervisor.go           |   5 +
  .../virtcontainers/hypervisor_linux_arm64.go       |  60 +-
  src/runtime/virtcontainers/qemu_arm64.go           |  69 ++-
- 9 files changed, 835 insertions(+), 13 deletions(-)
+ 10 files changed, 846 insertions(+), 14 deletions(-)
  create mode 100644 src/runtime/config/configuration-qemu-virtcca.toml.in
 
 diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml
@@ -29,6 +30,22 @@ index 60c96e8..aa29848 100644
  
  # Agent Policy
  cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "fba5677a8e7cc962fc6e495fcec98d7d765e332a" }
+diff --git a/src/agent/src/device/mod.rs b/src/agent/src/device/mod.rs
+index eb07e0b..ca07b36 100644
+--- a/src/agent/src/device/mod.rs
++++ b/src/agent/src/device/mod.rs
+@@ -266,7 +266,10 @@ pub async fn handle_cdi_devices(
+         }
+     }
+ 
+-    let (_, devices) = parse_annotations(spec.annotations().as_ref().unwrap())?;
++    let (_, mut devices) = parse_annotations(spec.annotations().as_ref().unwrap())?;
++
++    // filter out cdi device injection for pcipc/vfiodevs during container creation
++    devices.retain(|device| !device.starts_with("pcipc/"));
+ 
+     if devices.is_empty() {
+         info!(logger, "no CDI annotations, no devices to inject");
 diff --git a/src/runtime-rs/arch/aarch64-options.mk b/src/runtime-rs/arch/aarch64-options.mk
 index dc1f4ad..bdcff7e 100644
 --- a/src/runtime-rs/arch/aarch64-options.mk
@@ -149,10 +166,10 @@ index ca19c8c..9e4f7bc 100644
  FCCMD := firecracker
 diff --git a/src/runtime/config/configuration-qemu-virtcca.toml.in b/src/runtime/config/configuration-qemu-virtcca.toml.in
 new file mode 100644
-index 0000000..e055e34
+index 0000000..24c025d
 --- /dev/null
 +++ b/src/runtime/config/configuration-qemu-virtcca.toml.in
-@@ -0,0 +1,677 @@
+@@ -0,0 +1,684 @@
 +# Copyright (c) 2017-2019 Intel Corporation
 +# Copyright (c) 2021 Adobe Inc.
 +#
@@ -502,6 +519,13 @@ index 0000000..e055e34
 +# Default false
 +#hotplug_vfio_on_root_bus = true
 +
++# In a confidential compute environment hot-plugging can compromise
++# security.
++# Enable cold-plugging of VFIO devices to a bridge-port,
++# root-port or switch-port.
++# The default setting is  "no-port", which means disabled.
++#cold_plug_vfio = "root-port"
++
 +# Before hot plugging a PCIe device, you need to add a pcie_root_port device.
 +# Use this parameter when using some large PCI bar devices, such as Nvidia GPU
 +# The value means the number of pcie_root_port
diff --git a/kata-v3.15.0/kata-deploy.patch b/kata-v3.15.0/kata-deploy.patch
index c2723e6a37991bb0757c0d78cb0054a948288449..6af0016cd4065f1bf227ff78800d4ce09ba5358a 100644
--- a/kata-v3.15.0/kata-deploy.patch
+++ b/kata-v3.15.0/kata-deploy.patch
@@ -1,7 +1,7 @@
-From 6ba0f3d40854d9abe7e1b66100d77426046e69a8 Mon Sep 17 00:00:00 2001
+From 4b8948afdec7dea9e1b1031833b937006e54ec25 Mon Sep 17 00:00:00 2001
 From: fuju <fuju1@huawei.com>
-Date: Tue, 10 Jun 2025 05:04:29 -0400
-Subject: [PATCH] kata-deploy
+Date: Mon, 11 Aug 2025 09:59:34 -0400
+Subject: [PATCH 2/2] kata-deploy
 
 ---
  .../osbuilder/rootfs-builder/ubuntu/Dockerfile.in  |  9 +++--
@@ -14,10 +14,12 @@ Subject: [PATCH] kata-deploy
  .../runtimeclasses/kata-qemu-virtcca.yaml          | 13 +++++++
  .../runtimeclasses/kata-runtimeClasses.yaml        | 14 ++++++++
  tools/packaging/kernel/build-kernel.sh             | 37 +++++++++++++++++--
+ .../packaging/kernel/patches/6.6.x/no_patches.txt  |  0
  .../build-static-coco-guest-components.sh          | 13 +++----
  versions.yaml                                      | 15 +++++++-
- 12 files changed, 149 insertions(+), 24 deletions(-)
+ 13 files changed, 149 insertions(+), 24 deletions(-)
  create mode 100644 tools/packaging/kata-deploy/runtimeclasses/kata-qemu-virtcca.yaml
+ create mode 100644 tools/packaging/kernel/patches/6.6.x/no_patches.txt
 
 diff --git a/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in b/tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in
 index 16fa213..813ff3f 100644
@@ -87,7 +89,7 @@ index 9225dec..fe04ac0 100644
                value: "qemu"
              - name: CREATE_RUNTIMECLASSES
 diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
-index d6aa51b..ba65eee 100644
+index d6aa51b..25cb0cb 100644
 --- a/tools/packaging/kata-deploy/local-build/Makefile
 +++ b/tools/packaging/kata-deploy/local-build/Makefile
 @@ -49,6 +49,17 @@ BASE_TARBALLS = serial-targets \
@@ -338,7 +340,7 @@ index 01e13b7..2242b1e 100644
 +    katacontainers.io/kata-runtime: "true"
 +---
 diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh
-index c887b28..933dbc3 100755
+index c887b28..53b7483 100755
 --- a/tools/packaging/kernel/build-kernel.sh
 +++ b/tools/packaging/kernel/build-kernel.sh
 @@ -64,6 +64,8 @@ PREFIX="${PREFIX:-/usr}"
@@ -427,8 +429,11 @@ index c887b28..933dbc3 100755
  			s)
  				skip_config_checks="true"
  				;;
+diff --git a/tools/packaging/kernel/patches/6.6.x/no_patches.txt b/tools/packaging/kernel/patches/6.6.x/no_patches.txt
+new file mode 100644
+index 0000000..e69de29
 diff --git a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
-index 669773a..d204668 100755
+index 669773a..87e27a9 100755
 --- a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
 +++ b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
 @@ -18,21 +18,18 @@ source "${script_dir}/../../scripts/lib.sh"