diff --git a/agent/patches/0019-kata-agent-modify-make-flags.patch b/agent/patches/0019-kata-agent-modify-make-flags.patch
new file mode 100644
index 0000000000000000000000000000000000000000..50f88fc5790baac5958a6b2baa2c47ff98b26e20
--- /dev/null
+++ b/agent/patches/0019-kata-agent-modify-make-flags.patch
@@ -0,0 +1,29 @@
+From 1c7aaafa7b8691ea6ed6c910455567b36bb6f5ff Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Thu, 18 Mar 2021 15:25:49 +0800
+Subject: [PATCH] kata-agent: modify make flags
+
+reason: modify make flags
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index e4fd243..26fe898 100644
+--- a/Makefile
++++ b/Makefile
+@@ -101,6 +101,9 @@ AGENT_IMAGE := katacontainers/agent-dev
+ AGENT_TAG := $(if $(COMMIT_NO_SHORT),$(COMMIT_NO_SHORT),dev)
+ 
+ $(TARGET): $(GENERATED_FILES) $(SOURCES) $(VERSION_FILE)
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build $(BUILDFLAGS) -tags "$(BUILDTAGS)" -o $@ \
+ 		-ldflags "-X main.version=$(VERSION_COMMIT) -X main.seccompSupport=$(SECCOMP) $(LDFLAGS) $(KATA_LDFLAGS)"
+ 
+-- 
+2.25.1
+
diff --git a/agent/patches/0020-kata-agent-add-linkmode-to-resolve-build-error.patch b/agent/patches/0020-kata-agent-add-linkmode-to-resolve-build-error.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e60ae635fcf6470d1294fd6671e27331f5075b03
--- /dev/null
+++ b/agent/patches/0020-kata-agent-add-linkmode-to-resolve-build-error.patch
@@ -0,0 +1,37 @@
+From d98995f25c3a839f25590478bef37d2a456593a3 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Mon, 22 Mar 2021 17:07:37 +0800
+Subject: [PATCH] kata-agent: add linkmode to resolve build error
+
+reason: add linkmode to resolve build error
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 26fe898..5401c69 100644
+--- a/Makefile
++++ b/Makefile
+@@ -16,7 +16,7 @@ INIT := no
+ TRACE := no
+ 
+ # Set to "yes“ if binary stripping is needed.
+-STRIP := no
++STRIP := yes
+ 
+ # Tracing cannot currently be supported when running the agent as PID 1 since
+ # the tracing requires additional services to be started _before_ the agent
+@@ -105,7 +105,7 @@ $(TARGET): $(GENERATED_FILES) $(SOURCES) $(VERSION_FILE)
+ 	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build $(BUILDFLAGS) -tags "$(BUILDTAGS)" -o $@ \
+-		-ldflags "-X main.version=$(VERSION_COMMIT) -X main.seccompSupport=$(SECCOMP) $(LDFLAGS) $(KATA_LDFLAGS)"
++		-ldflags "-linkmode=external -X main.version=$(VERSION_COMMIT) -X main.seccompSupport=$(SECCOMP) $(LDFLAGS) $(KATA_LDFLAGS)"
+ 
+ install: $(TARGET)
+ 	install -D $(TARGET) $(DESTDIR)$(BINDIR)/$(TARGET)
+-- 
+2.25.1
+
diff --git a/agent/series.conf b/agent/series.conf
index fc5adee738f4fa8d49e7d1c42f416de2580a81a0..6f69da3c82ce383035084132dae5bfa6b90c777a 100644
--- a/agent/series.conf
+++ b/agent/series.conf
@@ -16,3 +16,5 @@
 0016-clock-synchronizes-clock-info-with-proxy.patch
 0017-agent-add-support-of-new-sandbox-StratoVirt.patch
 0018-kata-agent-update-nic-in-guest.patch
+0019-kata-agent-modify-make-flags.patch
+0020-kata-agent-add-linkmode-to-resolve-build-error.patch
diff --git a/proxy/patches/0002-kata-proxy-modify-make-flags.patch b/proxy/patches/0002-kata-proxy-modify-make-flags.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b164997e5e865a719cc8e2c6c3b225ffd464f74e
--- /dev/null
+++ b/proxy/patches/0002-kata-proxy-modify-make-flags.patch
@@ -0,0 +1,29 @@
+From 2c5cbf2ca9624d5443ad334a8337cb58d57573b2 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Thu, 18 Mar 2021 15:34:07 +0800
+Subject: [PATCH] kata-proxy: modify make flags
+
+reason: modify make flags
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index a1b3eee..07e9ba8 100644
+--- a/Makefile
++++ b/Makefile
+@@ -33,6 +33,9 @@ ifeq ($(STRIP),yes)
+ endif
+ 
+ $(TARGET): $(SOURCES) $(VERSION_FILE)
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
+ 
+ test:
+-- 
+2.25.1
+
diff --git a/proxy/patches/0003-kata-proxy-add-linkmode-to-resolve-build-error.patch b/proxy/patches/0003-kata-proxy-add-linkmode-to-resolve-build-error.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b3b840ea1dc1152e1a04c81cc26d352e9b260fd2
--- /dev/null
+++ b/proxy/patches/0003-kata-proxy-add-linkmode-to-resolve-build-error.patch
@@ -0,0 +1,37 @@
+From 5c4d7bcbef7d213009f1c63acf53319e230e06e2 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Mon, 22 Mar 2021 17:11:48 +0800
+Subject: [PATCH] kata-proxy: add linkmode to resolve build error
+
+reason: add linkmode to resolve build error
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 07e9ba8..b931dd3 100644
+--- a/Makefile
++++ b/Makefile
+@@ -5,7 +5,7 @@
+ #
+ 
+ # Set to "yes“ if binary stripping is needed.
+-STRIP := no
++STRIP := yes
+ 
+ DESTDIR :=
+ ifeq ($(PREFIX),)
+@@ -36,7 +36,7 @@ $(TARGET): $(SOURCES) $(VERSION_FILE)
+ 	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+-	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
++	go build $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external -X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
+ 
+ test:
+ 	bash .ci/go-test.sh
+-- 
+2.25.1
+
diff --git a/proxy/series.conf b/proxy/series.conf
index 1f29a6e09e095aac06ef3e23e53d3014353300ac..669d8caacb8579544d83c2fdcbb7bc5b1ac3d368 100644
--- a/proxy/series.conf
+++ b/proxy/series.conf
@@ -1 +1,3 @@
 0001-clock-synchronizes-clock-info-to-agent.patch
+0002-kata-proxy-modify-make-flags.patch
+0003-kata-proxy-add-linkmode-to-resolve-build-error.patch
diff --git a/runtime/patches/0068-kata-runtime-modify-make-flags.patch b/runtime/patches/0068-kata-runtime-modify-make-flags.patch
new file mode 100644
index 0000000000000000000000000000000000000000..32e13bc87106644619b5c3107f99d7d6c5fd123c
--- /dev/null
+++ b/runtime/patches/0068-kata-runtime-modify-make-flags.patch
@@ -0,0 +1,45 @@
+From 883dac2d9cd4daea88a9ac0325df02d1de578168 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Thu, 18 Mar 2021 15:48:11 +0800
+Subject: [PATCH] kata-runtime: modify make flags
+
+reason: modify make flags
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index b62e64b..6b9f764 100644
+--- a/Makefile
++++ b/Makefile
+@@ -521,7 +521,11 @@ containerd-shim-v2: $(SHIMV2_OUTPUT)
+ netmon: $(NETMON_TARGET_OUTPUT)
+ 
+ $(NETMON_TARGET_OUTPUT): $(SOURCES) VERSION
+-	$(QUIET_BUILD)(cd $(NETMON_DIR) && go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS))
++	$(QUIET_BUILD)(cd $(NETMON_DIR) && \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
++	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS))
+ 
+ runtime: $(TARGET_OUTPUT) $(CONFIGS)
+ .DEFAULT: default
+@@ -559,7 +563,11 @@ GENERATED_FILES += $(CLI_DIR)/config-generated.go
+ GENERATED_FILES += pkg/katautils/config-settings.go
+ 
+ $(TARGET_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) | show-summary
+-	$(QUIET_BUILD)(cd $(CLI_DIR) && go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
++	$(QUIET_BUILD)(cd $(CLI_DIR) && \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
++	go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
+ 
+ $(SHIMV2_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST)
+ 	$(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && go build $(KATA_LDFLAGS) -i -o $@ .)
+-- 
+2.25.1
+
diff --git a/runtime/patches/0069-kata-runtime-add-linkmode-to-resolve-build-error.patch b/runtime/patches/0069-kata-runtime-add-linkmode-to-resolve-build-error.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b75ef97eae336222eaa6cefe730a813f4059c4a5
--- /dev/null
+++ b/runtime/patches/0069-kata-runtime-add-linkmode-to-resolve-build-error.patch
@@ -0,0 +1,48 @@
+From 22678612f668274ab0b37175517401039e17ff00 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Mon, 22 Mar 2021 17:18:14 +0800
+Subject: [PATCH] kata-runtime: add linkmode to resolve build error
+
+reason: add linkmode to resolve build error
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 6b9f764..f7a9311 100644
+--- a/Makefile
++++ b/Makefile
+@@ -490,8 +490,9 @@ endif
+ BUILDFLAGS := -buildmode=pie ${BUILDTAGS}
+ 
+ # whether stipping the binary
++STRIP=yes
+ ifeq ($(STRIP),yes)
+-       KATA_LDFLAGS := -ldflags "-w -s"
++	KATA_LDFLAGS := -ldflags "-w -s"
+ endif
+ 
+ # Return non-empty string if specified directory exists
+@@ -525,7 +526,7 @@ $(NETMON_TARGET_OUTPUT): $(SOURCES) VERSION
+ 	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+-	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION)" $(KATA_LDFLAGS))
++	go build $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external -X main.version=$(VERSION) -w -s")
+ 
+ runtime: $(TARGET_OUTPUT) $(CONFIGS)
+ .DEFAULT: default
+@@ -567,7 +568,7 @@ $(TARGET_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST) | show-summary
+ 	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+-	go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ .)
++	go build $(KATA_LDFLAGS) $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external" .)
+ 
+ $(SHIMV2_OUTPUT): $(SOURCES) $(GENERATED_FILES) $(MAKEFILE_LIST)
+ 	$(QUIET_BUILD)(cd $(SHIMV2_DIR)/ && go build $(KATA_LDFLAGS) -i -o $@ .)
+-- 
+2.25.1
+
diff --git a/runtime/patches/0070-kata-runtime-remove-ctty-to-resolve-build-failed.patch b/runtime/patches/0070-kata-runtime-remove-ctty-to-resolve-build-failed.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6463fc368b143caae3010327d75985adb042291d
--- /dev/null
+++ b/runtime/patches/0070-kata-runtime-remove-ctty-to-resolve-build-failed.patch
@@ -0,0 +1,29 @@
+From 6d684a77e027e8103345cab768860533705d5ce4 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Tue, 23 Mar 2021 17:17:00 +0800
+Subject: [PATCH] kata-runtime: remove ctty to resolve build failed
+
+reason: remove ctty to resolve build failed
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ virtcontainers/shim.go | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/virtcontainers/shim.go b/virtcontainers/shim.go
+index b192b25..08097f0 100644
+--- a/virtcontainers/shim.go
++++ b/virtcontainers/shim.go
+@@ -219,9 +219,6 @@ func startShim(args []string, params ShimParams) (int, error) {
+ 		cmd.Stderr = f
+ 		// Create Session
+ 		cmd.SysProcAttr.Setsid = true
+-		// Set Controlling terminal to Ctty
+-		cmd.SysProcAttr.Setctty = true
+-		cmd.SysProcAttr.Ctty = int(f.Fd())
+ 	}
+ 	defer func() {
+ 		if f != nil {
+-- 
+2.25.1
+
diff --git a/runtime/series.conf b/runtime/series.conf
index 462da994e348cbdc0d10b6ed8128e6066507c54a..3d6f95cd023be131331dad411e865271d6f213cf 100644
--- a/runtime/series.conf
+++ b/runtime/series.conf
@@ -63,3 +63,8 @@
 0063-kata-runtime-fix-get-sandbox-cpu-resources-problem.patch
 0064-runtime-add-support-for-stratovirt-of-kata-check-cli.patch
 0065-runtime-fixup-that-the-getPids-function-returns-pid-.patch
+0066-CVE-2020-28914-1.patch
+0067-CVE-2020-28914-2.patch
+0068-kata-runtime-modify-make-flags.patch
+0069-kata-runtime-add-linkmode-to-resolve-build-error.patch
+0070-kata-runtime-remove-ctty-to-resolve-build-failed.patch
diff --git a/shim/patches/0002-kata-shim-modify-make-flags.patch b/shim/patches/0002-kata-shim-modify-make-flags.patch
new file mode 100644
index 0000000000000000000000000000000000000000..290d3ed0b2f0d44026a382e2736faed9bafa4a28
--- /dev/null
+++ b/shim/patches/0002-kata-shim-modify-make-flags.patch
@@ -0,0 +1,29 @@
+From 0a4adf4ffafd31820c471353757de2a6e2260e39 Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Thu, 18 Mar 2021 15:52:27 +0800
+Subject: [PATCH] kata-shim: modify make flags
+
+reason: modify make flags
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index 5cba637..b244053 100644
+--- a/Makefile
++++ b/Makefile
+@@ -33,6 +33,9 @@ ifeq ($(STRIP),yes)
+ endif
+ 
+ $(TARGET): $(SOURCES) $(VERSION_FILE)
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
+ 
+ test:
+-- 
+2.25.1
+
diff --git a/shim/patches/0003-kata-shim-add-linkmode-to-resolve-build-error.patch b/shim/patches/0003-kata-shim-add-linkmode-to-resolve-build-error.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3a9b95d10e9229688e4ea267f61c331edf16cb2f
--- /dev/null
+++ b/shim/patches/0003-kata-shim-add-linkmode-to-resolve-build-error.patch
@@ -0,0 +1,37 @@
+From 68290317bc35b3420506f0e25d7fccbdb9f88f5f Mon Sep 17 00:00:00 2001
+From: jikui <jikui2@huawei.com>
+Date: Mon, 22 Mar 2021 17:21:10 +0800
+Subject: [PATCH] kata-shim: add linkmode to resolve build error
+
+reason: add linkmode to resolve build error
+
+Signed-off-by: jikui <jikui2@huawei.com>
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index b244053..70d4a8d 100644
+--- a/Makefile
++++ b/Makefile
+@@ -5,7 +5,7 @@
+ #
+ 
+ # Set to "yes“ if binary stripping is needed.
+-STRIP := no
++STRIP := yes
+ 
+ DESTDIR :=
+ ifeq ($(PREFIX),)
+@@ -36,7 +36,7 @@ $(TARGET): $(SOURCES) $(VERSION_FILE)
+ 	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW="-Wl,-z,relro,-z,now" \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+-	go build $(BUILDFLAGS) -o $@ -ldflags "-X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
++	go build $(BUILDFLAGS) -o $@ -ldflags "-linkmode=external -X main.version=$(VERSION_COMMIT) $(KATA_LDFLAGS)"
+ 
+ test:
+ 	@echo "Go tests using faketty"
+-- 
+2.25.1
+
diff --git a/shim/series.conf b/shim/series.conf
index ce1ab400e6d85580734751282687de0cbfbb2b41..3508352a344f963d5143b4798e586df04fdadc34 100644
--- a/shim/series.conf
+++ b/shim/series.conf
@@ -1 +1,3 @@
 0001-kata-shim-fix-kata-shim-process-wait-long-tim.patch
+0002-kata-shim-modify-make-flags.patch
+0003-kata-shim-add-linkmode-to-resolve-build-error.patch