diff --git a/sys/arm64/arm64/identcpu.c b/sys/arm64/arm64/identcpu.c
--- a/sys/arm64/arm64/identcpu.c
+++ b/sys/arm64/arm64/identcpu.c
@@ -2176,6 +2176,17 @@
 	}
 }
 
+static void
+tcr_set_e0pd1(void *arg __unused)
+{
+	uint64_t tcr;
+
+	tcr = READ_SPECIALREG(tcr_el1);
+	tcr |= TCR_E0PD1;
+	WRITE_SPECIALREG(tcr_el1, tcr);
+	isb();
+}
+
 static void
 identify_cpu_sysinit(void *dummy __unused)
 {
@@ -2229,6 +2240,14 @@
 		panic("CPU does not support LSE atomic instructions");
 #endif
 
+	/*
+	 * If FEAT_E0PD is supported use it to cause faults without a page
+	 * table walk if userspace tries to access kernel memory.
+	 */
+	if (ID_AA64MMFR2_E0PD_VAL(kern_cpu_desc.id_aa64mmfr2) !=
+	    ID_AA64MMFR2_E0PD_NONE)
+		smp_rendezvous(NULL, tcr_set_e0pd1, NULL, NULL);
+
 	install_undef_handler(true, user_mrs_handler);
 }
 SYSINIT(identify_cpu, SI_SUB_CPU, SI_ORDER_MIDDLE, identify_cpu_sysinit, NULL);