diff --git a/src/crosvm.rs b/src/crosvm.rs
index 0b3051c3ff..d2f0026a39 100644
--- a/src/crosvm.rs
+++ b/src/crosvm.rs
@@ -436,6 +436,7 @@ pub struct Config {
     pub init_memory: Option<u64>,
     #[cfg(feature = "direct")]
     pub pcie_rp: Vec<PathBuf>,
+    pub rng: bool,
 }
 
 impl Default for Config {
@@ -547,6 +548,7 @@ impl Default for Config {
             init_memory: None,
             #[cfg(feature = "direct")]
             pcie_rp: Vec::new(),
+            rng: true,
         }
     }
 }
diff --git a/src/linux/mod.rs b/src/linux/mod.rs
index b79b861146..cb677900a7 100644
--- a/src/linux/mod.rs
+++ b/src/linux/mod.rs
@@ -267,7 +267,9 @@ fn create_virtio_devices(
         )?);
     }
 
-    devs.push(create_rng_device(cfg)?);
+    if cfg.rng {
+        devs.push(create_rng_device(cfg)?);
+    }
 
     #[cfg(feature = "tpm")]
     {
diff --git a/src/main.rs b/src/main.rs
index 92c72ead06..76b860e7db 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -2071,19 +2071,19 @@ fn set_argument(cfg: &mut Config, name: &str, value: Option<&str>) -> argument::
         }
         "protected-vm" => {
             cfg.protected_vm = ProtectionType::Protected;
-            // Balloon device only works for unprotected VMs.
+            // Balloon and USB devices only work for unprotected VMs.
             cfg.balloon = false;
-
-            // USB device only works for unprotected VMs.
             cfg.usb = false;
+            // Protected VMs can't trust the RNG device, so don't provide it.
+            cfg.rng = false;
         }
         "protected-vm-without-firmware" => {
             cfg.protected_vm = ProtectionType::ProtectedWithoutFirmware;
-            // Balloon device only works for unprotected VMs.
+            // Balloon and USB devices only work for unprotected VMs.
             cfg.balloon = false;
-
-            // USB device only works for unprotected VMs.
             cfg.usb = false;
+            // Protected VMs can't trust the RNG device, so don't provide it.
+            cfg.rng = false;
         }
         "battery" => {
             let params = parse_battery_options(value)?;
@@ -2103,6 +2103,9 @@ fn set_argument(cfg: &mut Config, name: &str, value: Option<&str>) -> argument::
         "no-balloon" => {
             cfg.balloon = false;
         }
+        "no-rng" => {
+            cfg.rng = false;
+        }
         "no-usb" => {
             cfg.usb = false;
         }
@@ -2683,6 +2686,7 @@ iommu=on|off - indicates whether to enable virtio IOMMU for this device"),
           Argument::flag("no-balloon", "Don't use virtio-balloon device in the guest"),
           #[cfg(feature = "usb")]
           Argument::flag("no-usb", "Don't use usb devices in the guest"),
+          Argument::flag("no-rng", "Don't create RNG device in the guest"),
           Argument::value("balloon_bias_mib", "N", "Amount to bias balance of memory between host and guest as the balloon inflates, in MiB."),
           Argument::value("vhost-user-blk", "SOCKET_PATH", "Path to a socket for vhost-user block"),
           Argument::value("vhost-user-console", "SOCKET_PATH", "Path to a socket for vhost-user console"),