diff --git a/qemu/aarch64.h b/qemu/aarch64.h
index fb6be529..a014ce39 100644
--- a/qemu/aarch64.h
+++ b/qemu/aarch64.h
@@ -4284,6 +4284,8 @@
 #define pmccntr_op_finish pmccntr_op_finish_aarch64
 #define pmu_op_start pmu_op_start_aarch64
 #define pmu_op_finish pmu_op_finish_aarch64
+#define pmu_pre_el_change pmu_pre_el_change_aarch64
+#define pmu_post_el_change pmu_post_el_change_aarch64
 #define pred_esz_masks pred_esz_masks_aarch64
 #define raise_exception raise_exception_aarch64
 #define raise_exception_ra raise_exception_ra_aarch64
diff --git a/qemu/aarch64eb.h b/qemu/aarch64eb.h
index b2769f2f..54a40704 100644
--- a/qemu/aarch64eb.h
+++ b/qemu/aarch64eb.h
@@ -4284,6 +4284,8 @@
 #define pmccntr_op_finish pmccntr_op_finish_aarch64eb
 #define pmu_op_start pmu_op_start_aarch64eb
 #define pmu_op_finish pmu_op_finish_aarch64eb
+#define pmu_pre_el_change pmu_pre_el_change_aarch64eb
+#define pmu_post_el_change pmu_post_el_change_aarch64eb
 #define pred_esz_masks pred_esz_masks_aarch64eb
 #define raise_exception raise_exception_aarch64eb
 #define raise_exception_ra raise_exception_ra_aarch64eb
diff --git a/qemu/arm.h b/qemu/arm.h
index 003a37dd..ca52b50a 100644
--- a/qemu/arm.h
+++ b/qemu/arm.h
@@ -3292,6 +3292,8 @@
 #define pmccntr_op_finish pmccntr_op_finish_arm
 #define pmu_op_start pmu_op_start_arm
 #define pmu_op_finish pmu_op_finish_arm
+#define pmu_pre_el_change pmu_pre_el_change_arm
+#define pmu_post_el_change pmu_post_el_change_arm
 #define raise_exception raise_exception_arm
 #define raise_exception_ra raise_exception_ra_arm
 #define sli_op sli_op_arm
diff --git a/qemu/armeb.h b/qemu/armeb.h
index b2bbed20..c8d66b23 100644
--- a/qemu/armeb.h
+++ b/qemu/armeb.h
@@ -3292,6 +3292,8 @@
 #define pmccntr_op_finish pmccntr_op_finish_armeb
 #define pmu_op_start pmu_op_start_armeb
 #define pmu_op_finish pmu_op_finish_armeb
+#define pmu_pre_el_change pmu_pre_el_change_armeb
+#define pmu_post_el_change pmu_post_el_change_armeb
 #define raise_exception raise_exception_armeb
 #define raise_exception_ra raise_exception_ra_armeb
 #define sli_op sli_op_armeb
diff --git a/qemu/header_gen.py b/qemu/header_gen.py
index b5c2c6fa..092a9cb6 100644
--- a/qemu/header_gen.py
+++ b/qemu/header_gen.py
@@ -3301,6 +3301,8 @@ arm_symbols = (
     'pmccntr_op_finish',
     'pmu_op_start',
     'pmu_op_finish',
+    'pmu_pre_el_change',
+    'pmu_post_el_change',
     'raise_exception',
     'raise_exception_ra',
     'sli_op',
@@ -4327,6 +4329,8 @@ aarch64_symbols = (
     'pmccntr_op_finish',
     'pmu_op_start',
     'pmu_op_finish',
+    'pmu_pre_el_change',
+    'pmu_post_el_change',
     'pred_esz_masks',
     'raise_exception',
     'raise_exception_ra',
diff --git a/qemu/target/arm/cpu.c b/qemu/target/arm/cpu.c
index 886230b4..1834faab 100644
--- a/qemu/target/arm/cpu.c
+++ b/qemu/target/arm/cpu.c
@@ -763,6 +763,13 @@ static int arm_cpu_realizefn(struct uc_struct *uc, DeviceState *dev, Error **err
         unset_feature(env, ARM_FEATURE_PMU);
         cpu->id_aa64dfr0 &= ~0xf00;
     }
+    // Unicorn: Commented out
+#if 0
+    else if (!kvm_enabled()) {
+        arm_register_pre_el_change_hook(cpu, &pmu_pre_el_change, 0);
+        arm_register_el_change_hook(cpu, &pmu_post_el_change, 0);
+    }
+#endif
 
     if (!arm_feature(env, ARM_FEATURE_EL2)) {
         /* Disable the hypervisor feature bits in the processor feature
diff --git a/qemu/target/arm/cpu.h b/qemu/target/arm/cpu.h
index 3824cb9d..c3332428 100644
--- a/qemu/target/arm/cpu.h
+++ b/qemu/target/arm/cpu.h
@@ -943,6 +943,12 @@ void pmccntr_op_finish(CPUARMState *env);
 void pmu_op_start(CPUARMState *env);
 void pmu_op_finish(CPUARMState *env);
 
+/**
+ * Functions to register as EL change hooks for PMU mode filtering
+ */
+void pmu_pre_el_change(ARMCPU *cpu, void *ignored);
+void pmu_post_el_change(ARMCPU *cpu, void *ignored);
+
 /* SCTLR bit meanings. Several bits have been reused in newer
  * versions of the architecture; in that case we define constants
  * for both old and new bit meanings. Code which tests against those
@@ -1025,7 +1031,8 @@ void pmu_op_finish(CPUARMState *env);
 
 #define MDCR_EPMAD    (1U << 21)
 #define MDCR_EDAD     (1U << 20)
-#define MDCR_SPME     (1U << 17)
+#define MDCR_SPME     (1U << 17)  /* MDCR_EL3 */
+#define MDCR_HPMD     (1U << 17)  /* MDCR_EL2 */
 #define MDCR_SDD      (1U << 16)
 #define MDCR_SPD      (3U << 14)
 #define MDCR_TDRA     (1U << 11)
@@ -1035,6 +1042,7 @@ void pmu_op_finish(CPUARMState *env);
 #define MDCR_HPME     (1U << 7)
 #define MDCR_TPM      (1U << 6)
 #define MDCR_TPMCR    (1U << 5)
+#define MDCR_HPMN     (0x1fU)
 
 /* Not all of the MDCR_EL3 bits are present in the 32-bit SDCR */
 #define SDCR_VALID_MASK (MDCR_EPMAD | MDCR_EDAD | MDCR_SPME | MDCR_SPD)
diff --git a/qemu/target/arm/helper.c b/qemu/target/arm/helper.c
index b5cf93eb..f4c60f59 100644
--- a/qemu/target/arm/helper.c
+++ b/qemu/target/arm/helper.c
@@ -840,10 +840,24 @@ static const ARMCPRegInfo v6_cp_reginfo[] = {
 /* Definitions for the PMU registers */
 #define PMCRN_MASK  0xf800
 #define PMCRN_SHIFT 11
+#define PMCRDP  0x10
 #define PMCRD   0x8
 #define PMCRC   0x4
 #define PMCRE   0x1
 
+#define PMXEVTYPER_P          0x80000000
+#define PMXEVTYPER_U          0x40000000
+#define PMXEVTYPER_NSK        0x20000000
+#define PMXEVTYPER_NSU        0x10000000
+#define PMXEVTYPER_NSH        0x08000000
+#define PMXEVTYPER_M          0x04000000
+#define PMXEVTYPER_MT         0x02000000
+#define PMXEVTYPER_EVTCOUNT   0x0000ffff
+#define PMXEVTYPER_MASK       (PMXEVTYPER_P | PMXEVTYPER_U | PMXEVTYPER_NSK | \
+                               PMXEVTYPER_NSU | PMXEVTYPER_NSH | \
+                               PMXEVTYPER_M | PMXEVTYPER_MT | \
+                               PMXEVTYPER_EVTCOUNT)
+
 static inline uint32_t pmu_num_counters(CPUARMState *env)
 {
   return (env->cp15.c9_pmcr & PMCRN_MASK) >> PMCRN_SHIFT;
@@ -939,15 +953,64 @@ static CPAccessResult pmreg_access_ccntr(CPUARMState *env,
     return pmreg_access(env, ri, isread);
 }
 
-static inline bool arm_ccnt_enabled(CPUARMState *env)
+/* Returns true if the counter (pass 31 for PMCCNTR) should count events using
+ * the current EL, security state, and register configuration.
+ */
+static bool pmu_counter_enabled(CPUARMState *env, uint8_t counter)
 {
-    /* This does not support checking PMCCFILTR_EL0 register */
+    uint64_t filter;
+    bool e, p, u, nsk, nsu, nsh, m;
+    bool enabled, prohibited, filtered;
+    bool secure = arm_is_secure(env);
+    int el = arm_current_el(env);
+    uint8_t hpmn = env->cp15.mdcr_el2 & MDCR_HPMN;
 
-    if (!(env->cp15.c9_pmcr & PMCRE) || !(env->cp15.c9_pmcnten & (1 << 31))) {
-        return false;
+    if (!arm_feature(env, ARM_FEATURE_EL2) ||
+            (counter < hpmn || counter == 31)) {
+        e = env->cp15.c9_pmcr & PMCRE;
+    } else {
+        e = env->cp15.mdcr_el2 & MDCR_HPME;
+    }
+    enabled = e && (env->cp15.c9_pmcnten & (1 << counter));
+
+    if (!secure) {
+        if (el == 2 && (counter < hpmn || counter == 31)) {
+            prohibited = env->cp15.mdcr_el2 & MDCR_HPMD;
+        } else {
+            prohibited = false;
+        }
+    } else {
+        prohibited = arm_feature(env, ARM_FEATURE_EL3) &&
+           (env->cp15.mdcr_el3 & MDCR_SPME);
     }
 
-    return true;
+    if (prohibited && counter == 31) {
+        prohibited = env->cp15.c9_pmcr & PMCRDP;
+    }
+
+    /* TODO Remove assert, set filter to correct PMEVTYPER */
+    assert(counter == 31);
+    filter = env->cp15.pmccfiltr_el0;
+
+    p   = filter & PMXEVTYPER_P;
+    u   = filter & PMXEVTYPER_U;
+    nsk = arm_feature(env, ARM_FEATURE_EL3) && (filter & PMXEVTYPER_NSK);
+    nsu = arm_feature(env, ARM_FEATURE_EL3) && (filter & PMXEVTYPER_NSU);
+    nsh = arm_feature(env, ARM_FEATURE_EL2) && (filter & PMXEVTYPER_NSH);
+    m   = arm_el_is_aa64(env, 1) &&
+              arm_feature(env, ARM_FEATURE_EL3) && (filter & PMXEVTYPER_M);
+
+    if (el == 0) {
+        filtered = secure ? u : u != nsu;
+    } else if (el == 1) {
+        filtered = secure ? p : p != nsk;
+    } else if (el == 2) {
+        filtered = !nsh;
+    } else { /* EL3 */
+        filtered = m != p;
+    }
+
+    return enabled && !prohibited && !filtered;
 }
 
 /*
@@ -962,7 +1025,7 @@ void pmccntr_op_start(CPUARMState *env)
     cycles = muldiv64(qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL),
                           NANOSECONDS_PER_SECOND, 1000000);
 
-    if (arm_ccnt_enabled(env)) {
+    if (pmu_counter_enabled(env, 31)) {
         uint64_t eff_cycles = cycles;
         if (env->cp15.c9_pmcr & PMCRD) {
             /* Increment once every 64 processor clock cycles */
@@ -981,7 +1044,7 @@ void pmccntr_op_start(CPUARMState *env)
  */
 void pmccntr_op_finish(CPUARMState *env)
 {
-    if (arm_ccnt_enabled(env)) {
+    if (pmu_counter_enabled(env, 31)) {
         uint64_t prev_cycles = env->cp15.c15_ccnt_delta;
 
         if (env->cp15.c9_pmcr & PMCRD) {
@@ -1003,6 +1066,16 @@ void pmu_op_finish(CPUARMState *env)
     pmccntr_op_finish(env);
 }
 
+void pmu_pre_el_change(ARMCPU *cpu, void *ignored)
+{
+    pmu_op_start(&cpu->env);
+}
+
+void pmu_post_el_change(ARMCPU *cpu, void *ignored)
+{
+    pmu_op_finish(&cpu->env);
+}
+
 static void pmcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
                        uint64_t value)
 {
@@ -1074,6 +1147,14 @@ void pmu_op_finish(CPUARMState *env)
 {
 }
 
+void pmu_pre_el_change(ARMCPU *cpu, void *ignored)
+{
+}
+
+void pmu_post_el_change(ARMCPU *cpu, void *ignored)
+{
+}
+
 #endif
 
 static void pmccfiltr_write(CPUARMState *env, const ARMCPRegInfo *ri,