diff --git a/qemu/target-arm/cpu.h b/qemu/target-arm/cpu.h
index 0d0e2fdf..63beab05 100644
--- a/qemu/target-arm/cpu.h
+++ b/qemu/target-arm/cpu.h
@@ -383,6 +383,7 @@ typedef struct CPUARMState {
         uint64_t dbgwcr[16]; /* watchpoint control registers */
         uint64_t mdscr_el1;
         uint64_t oslsr_el1; /* OS Lock Status */
+        uint64_t mdcr_el2;
         /* If the counter is enabled, this stores the last time the counter
          * was reset. Otherwise it stores the counter value
          */
diff --git a/qemu/target-arm/helper.c b/qemu/target-arm/helper.c
index c2924319..f9a2a3a6 100644
--- a/qemu/target-arm/helper.c
+++ b/qemu/target-arm/helper.c
@@ -2851,6 +2851,8 @@ static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
       PL2_RW, 0, NULL, 0 },
     { "CNTHP_CTL_EL2", 0,14,2, 3,4,1, ARM_CP_STATE_BOTH, ARM_CP_CONST,
       PL2_RW, 0, NULL, 0 },
+    { "MDCR_EL2", 0,1,1, 3,4,1, ARM_CP_STATE_BOTH, ARM_CP_CONST,
+      PL2_RW, 0, NULL, 0 },
     REGINFO_SENTINEL
 };
 
@@ -3005,6 +3007,13 @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
       PL2_RW, 0, NULL, 0, offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].ctl), {0, 0},
       NULL, NULL, gt_hyp_ctl_write, NULL, raw_write },
 #endif
+    /* The only field of MDCR_EL2 that has a defined architectural reset value
+     * is MDCR_EL2.HPMN which should reset to the value of PMCR_EL0.N; but we
+     * don't impelment any PMU event counters, so using zero as a reset
+     * value for MDCR_EL2 is okay
+     */
+    { "MDCR_EL2", 0,1,1, 3,4,1, ARM_CP_STATE_BOTH, 0,
+      PL2_RW, 0, NULL, 0, offsetof(CPUARMState, cp15.mdcr_el2), },
     REGINFO_SENTINEL
 };