Index: sys/arm64/arm64/locore.S
===================================================================
--- sys/arm64/arm64/locore.S
+++ sys/arm64/arm64/locore.S
@@ -102,6 +102,9 @@
 	br	x15
 
 virtdone:
+	/* Allow the above branch to here when BTI is supported */
+	BTI_J
+
 	/* Set up the stack */
 	adrp	x25, initstack_end
 	add	x25, x25, :lo12:initstack_end
@@ -202,6 +205,9 @@
 	br	x15
 
 mp_virtdone:
+	/* Allow the above branch to here when BTI is supported */
+	BTI_J
+
 	/* Start using the AP boot stack */
 	ldr	x4, =bootstack
 	ldr	x4, [x4]
@@ -633,6 +639,9 @@
 	orr	x12, x7, #L2_BLOCK
 	orr	x12, x12, #(ATTR_DEFAULT)
 	orr	x12, x12, #(ATTR_S1_UXN)
+#ifdef __ARM_FEATURE_BTI_DEFAULT
+	orr	x12, x12, #(ATTR_KERN_GP)
+#endif
 
 	/* Only use the output address bits */
 	lsr	x9, x9, #L2_SHIFT
Index: sys/arm64/arm64/pmap.c
===================================================================
--- sys/arm64/arm64/pmap.c
+++ sys/arm64/arm64/pmap.c
@@ -693,6 +693,8 @@
 	if (pmap->pm_stage == PM_STAGE1) {
 		if ((prot & VM_PROT_EXECUTE) == 0)
 			val |= ATTR_S1_XN;
+		else if (pmap == kernel_pmap)
+			val |= ATTR_KERN_GP;
 		if ((prot & VM_PROT_WRITE) == 0)
 			val |= ATTR_S1_AP(ATTR_S1_AP_RO);
 	} else {
@@ -915,7 +917,8 @@
 
 		pa = pmap_early_vtophys(l1pt, l3pt);
 		pmap_store(&l2[l2_slot],
-		    (pa & ~Ln_TABLE_MASK) | ATTR_S1_UXN | L2_TABLE);
+		    (pa & ~Ln_TABLE_MASK) | ATTR_S1_UXN | ATTR_KERN_GP |
+		     L2_TABLE);
 		l3pt += PAGE_SIZE;
 	}
 
@@ -3297,6 +3300,9 @@
 	if ((prot & VM_PROT_EXECUTE) == 0) {
 		mask |= ATTR_S1_XN;
 		nbits |= ATTR_S1_XN;
+	} else if (pmap == kernel_pmap) {
+		mask |= ATTR_KERN_GP;
+		nbits |= ATTR_KERN_GP;
 	}
 	if (mask == 0)
 		return;
@@ -6010,9 +6016,11 @@
 		}
 		if ((prot & VM_PROT_EXECUTE) == 0) {
 			bits |= ATTR_S1_PXN;
+		} else {
+			bits |= ATTR_KERN_GP;
 		}
 		bits |= ATTR_S1_UXN;
-		mask |= ATTR_S1_AP_MASK | ATTR_S1_XN;
+		mask |= ATTR_S1_AP_MASK | ATTR_S1_XN | ATTR_KERN_GP;
 	}
 
 	for (tmpva = base; tmpva < base + size; ) {
@@ -7000,12 +7008,13 @@
 		break;
 	}
 
-	sbuf_printf(sb, "0x%016lx-0x%016lx r%c%c%c%c %3s %d %d %d %d\n",
+	sbuf_printf(sb, "0x%016lx-0x%016lx r%c%c%c%c%c %3s %d %d %d %d\n",
 	    range->sva, eva,
 	    (range->attrs & ATTR_S1_AP_RW_BIT) == ATTR_S1_AP_RW ? 'w' : '-',
 	    (range->attrs & ATTR_S1_PXN) != 0 ? '-' : 'x',
 	    (range->attrs & ATTR_S1_UXN) != 0 ? '-' : 'X',
 	    (range->attrs & ATTR_S1_AP(ATTR_S1_AP_USER)) != 0 ? 'u' : 's',
+	    (range->attrs & ATTR_GP) != 0 ? 'g' : '-',
 	    mode, range->l1blocks, range->l2blocks, range->l3contig,
 	    range->l3pages);
 
@@ -7055,7 +7064,8 @@
 static pt_entry_t
 sysctl_kmaps_block_attrs(pt_entry_t block)
 {
-	return (block & (ATTR_S1_AP_MASK | ATTR_S1_XN | ATTR_S1_IDX_MASK));
+	return (block & (ATTR_S1_AP_MASK | ATTR_S1_XN | ATTR_S1_IDX_MASK |
+	    ATTR_GP));
 }
 
 /*
Index: sys/arm64/include/armreg.h
===================================================================
--- sys/arm64/include/armreg.h
+++ sys/arm64/include/armreg.h
@@ -220,6 +220,7 @@
 #define	 EXCP_UNKNOWN		0x00	/* Unkwn exception */
 #define	 EXCP_TRAP_WFI_WFE	0x01	/* Trapped WFI or WFE */
 #define	 EXCP_FP_SIMD		0x07	/* VFP/SIMD trap */
+#define	 EXCP_BTI		0x0d	/* Branch Target Exception */
 #define	 EXCP_ILL_STATE		0x0e	/* Illegal execution state */
 #define	 EXCP_SVC32		0x11	/* SVC trap for AArch32 */
 #define	 EXCP_SVC64		0x15	/* SVC trap for AArch64 */
Index: sys/arm64/include/asm.h
===================================================================
--- sys/arm64/include/asm.h
+++ sys/arm64/include/asm.h
@@ -46,7 +46,7 @@
 
 #define	LENTRY(sym)						\
 	.text; .align 2; .type sym,#function; sym:		\
-	.cfi_startproc; DTRACE_NOP
+	.cfi_startproc; __BTI_C; DTRACE_NOP
 #define	ENTRY(sym)						\
 	.globl sym; LENTRY(sym)
 #define	EENTRY(sym)						\
@@ -112,4 +112,17 @@
 	dsb	sy;							\
 	isb
 
+#ifdef __ARM_FEATURE_BTI_DEFAULT
+#define	__BTI_C	bti	c
+#define	__BTI_J	bti	j
+#else
+#define	__BTI_C
+#define	__BTI_J
+#endif
+
+#ifdef _KERNEL
+#define	BTI_C	__BTI_C
+#define	BTI_J	__BTI_J
+#endif
+
 #endif /* _MACHINE_ASM_H_ */
Index: sys/arm64/include/pte.h
===================================================================
--- sys/arm64/include/pte.h
+++ sys/arm64/include/pte.h
@@ -70,6 +70,7 @@
 
 #define	ATTR_CONTIGUOUS		(1UL << 52)
 #define	ATTR_DBM		(1UL << 51)
+#define	ATTR_GP			(1UL << 50)
 #define	ATTR_S1_nG		(1 << 11)
 #define	ATTR_AF			(1 << 10)
 #define	ATTR_SH(x)		((x) << 8)
@@ -161,6 +162,12 @@
 #define	pmap_l2_index(va)	(((va) >> L2_SHIFT) & Ln_ADDR_MASK)
 #define	pmap_l3_index(va)	(((va) >> L3_SHIFT) & Ln_ADDR_MASK)
 
+#ifdef __ARM_FEATURE_BTI_DEFAULT
+#define	ATTR_KERN_GP	ATTR_GP
+#else
+#define	ATTR_KERN_GP	0
+#endif
+
 #endif /* !_MACHINE_PTE_H_ */
 
 /* End of pte.h */