diff --git a/src/crosvm/cmdline.rs b/src/crosvm/cmdline.rs
index 2b40feee24..de53eb0f91 100644
--- a/src/crosvm/cmdline.rs
+++ b/src/crosvm/cmdline.rs
@@ -1167,6 +1167,10 @@ pub struct RunCommand {
     ///        for this device
     pub vfio: Vec<VfioCommand>,
     #[cfg(unix)]
+    #[argh(switch)]
+    /// isolate all hotplugged passthrough vfio device behind virtio-iommu
+    pub vfio_isolate_hotplug: bool,
+    #[cfg(unix)]
     #[argh(option, arg_name = "PATH", from_str_fn(parse_vfio_platform))]
     /// path to sysfs of platform pass through
     pub vfio_platform: Vec<VfioCommand>,
@@ -1861,6 +1865,7 @@ impl TryFrom<RunCommand> for super::config::Config {
         {
             cfg.vfio.extend(cmd.vfio);
             cfg.vfio.extend(cmd.vfio_platform);
+            cfg.vfio_isolate_hotplug = cmd.vfio_isolate_hotplug;
         }
 
         // Now do validation of constructed config
diff --git a/src/crosvm/config.rs b/src/crosvm/config.rs
index 0acad70405..0481f42979 100644
--- a/src/crosvm/config.rs
+++ b/src/crosvm/config.rs
@@ -1400,6 +1400,8 @@ pub struct Config {
     pub vcpu_count: Option<usize>,
     #[cfg(unix)]
     pub vfio: Vec<super::sys::config::VfioCommand>,
+    #[cfg(unix)]
+    pub vfio_isolate_hotplug: bool,
     pub vhost_net: bool,
     #[cfg(unix)]
     pub vhost_net_device_path: PathBuf,
@@ -1589,6 +1591,8 @@ impl Default for Config {
             vcpu_count: None,
             #[cfg(unix)]
             vfio: Vec::new(),
+            #[cfg(unix)]
+            vfio_isolate_hotplug: false,
             vhost_net: false,
             #[cfg(unix)]
             vhost_net_device_path: PathBuf::from(VHOST_NET_PATH),
diff --git a/src/crosvm/sys/unix.rs b/src/crosvm/sys/unix.rs
index 1431de1e07..3bdec297e0 100644
--- a/src/crosvm/sys/unix.rs
+++ b/src/crosvm/sys/unix.rs
@@ -1615,7 +1615,8 @@ where
         &mut devices,
     )?;
 
-    let iommu_host_tube = if !iommu_attached_endpoints.is_empty() || !hp_endpoints_ranges.is_empty()
+    let iommu_host_tube = if !iommu_attached_endpoints.is_empty()
+        || (cfg.vfio_isolate_hotplug && !hp_endpoints_ranges.is_empty())
     {
         let (iommu_host_tube, iommu_device_tube) = Tube::pair().context("failed to create tube")?;
         let iommu_dev = create_iommu_device(
@@ -1878,6 +1879,11 @@ fn handle_vfio_command<V: VmArch, Vcpu: VcpuArch>(
     add: bool,
     hp_interrupt: bool,
 ) -> VmResponse {
+    let iommu_host_tube = if cfg.vfio_isolate_hotplug {
+        iommu_host_tube
+    } else {
+        &None
+    };
     let ret = if add {
         add_vfio_device(
             linux,