diff --git a/sys/arm64/arm64/debug_monitor.c b/sys/arm64/arm64/debug_monitor.c
--- a/sys/arm64/arm64/debug_monitor.c
+++ b/sys/arm64/arm64/debug_monitor.c
@@ -186,6 +186,9 @@
 kdb_cpu_set_singlestep(void)
 {
 
+	KASSERT((READ_SPECIALREG(daif) & PSR_D) == PSR_D,
+	    ("%s: debug exceptions are not masked", __func__));
+
 	kdb_frame->tf_spsr |= DBG_SPSR_SS;
 	WRITE_SPECIALREG(mdscr_el1, READ_SPECIALREG(mdscr_el1) |
 	    DBG_MDSCR_SS | DBG_MDSCR_KDE);
@@ -205,6 +208,9 @@
 kdb_cpu_clear_singlestep(void)
 {
 
+	KASSERT((READ_SPECIALREG(daif) & PSR_D) == PSR_D,
+	    ("%s: debug exceptions are not masked", __func__));
+
 	WRITE_SPECIALREG(mdscr_el1, READ_SPECIALREG(mdscr_el1) &
 	    ~(DBG_MDSCR_SS | DBG_MDSCR_KDE));
 
diff --git a/sys/arm64/arm64/exception.S b/sys/arm64/arm64/exception.S
--- a/sys/arm64/arm64/exception.S
+++ b/sys/arm64/arm64/exception.S
@@ -75,8 +75,12 @@
 
 	ldr	x0, [x18, #(PC_CURTHREAD)]
 	bl	dbg_monitor_enter
-.endif
 	msr	daifclr, #8	/* Enable the debug exception */
+.endif
+	/*
+	 * For EL1, debug exceptions are conditionally unmasked in
+	 * do_el1h_sync().
+	 */
 .endm
 
 .macro	restore_registers el
diff --git a/sys/arm64/arm64/trap.c b/sys/arm64/arm64/trap.c
--- a/sys/arm64/arm64/trap.c
+++ b/sys/arm64/arm64/trap.c
@@ -377,6 +377,14 @@
 	    "do_el1_sync: curthread: %p, esr %lx, elr: %lx, frame: %p", td,
 	    esr, frame->tf_elr, frame);
 
+	/*
+	 * Enable debug exceptions if we aren't already handling one. They will
+	 * be masked again in the exception handler's epilogue.
+	 */
+	if (exception != EXCP_BRK && exception != EXCP_WATCHPT_EL1 &&
+	    exception != EXCP_SOFTSTP_EL1)
+		dbg_enable();
+
 	switch (exception) {
 	case EXCP_FP_SIMD:
 	case EXCP_TRAP_FP: