diff --git a/qemu/target/arm/arm-powerctl.c b/qemu/target/arm/arm-powerctl.c
index fcf14ecf..bd19a359 100644
--- a/qemu/target/arm/arm-powerctl.c
+++ b/qemu/target/arm/arm-powerctl.c
@@ -155,6 +155,16 @@ int arm_set_cpu_on(struct uc_struct *uc,
     } else {
         /* Processor is not in secure mode */
         target_cpu->env.cp15.scr_el3 |= SCR_NS;
+
+        /*
+         * If QEMU is providing the equivalent of EL3 firmware, then we need
+         * to make sure a CPU targeting EL2 comes out of reset with a
+         * functional HVC insn.
+         */
+        if (arm_feature(&target_cpu->env, ARM_FEATURE_EL3)
+            && target_el == 2) {
+            target_cpu->env.cp15.scr_el3 |= SCR_HCE;
+        }
     }
 
     /* We check if the started CPU is now at the correct level */