diff --git a/sys/amd64/amd64/efirt_machdep.c b/sys/amd64/amd64/efirt_machdep.c
--- a/sys/amd64/amd64/efirt_machdep.c
+++ b/sys/amd64/amd64/efirt_machdep.c
@@ -56,6 +56,15 @@
 #include <vm/vm_pager.h>
 #include <vm/vm_radix.h>
 
+/* The EFI regions we're allowed to map. */
+#define EFI_ALLOWED_TYPES_MASK ( \
+    1u << EFI_MD_TYPE_BS_CODE | 1u << EFI_MD_TYPE_BS_DATA | \
+    1u << EFI_MD_TYPE_RT_CODE | 1u << EFI_MD_TYPE_RT_DATA | \
+    1u << EFI_MD_TYPE_FIRMWARE \
+)
+
+uint32_t efi_map_regs;
+
 static pml5_entry_t *efi_pml5;
 static pml4_entry_t *efi_pml4;
 static vm_object_t obj_1t1_pt;
@@ -198,9 +207,16 @@
 		pmap_pinit_pml4(efi_pmltop_page);
 	}
 
+	if ((efi_map_regs & ~EFI_ALLOWED_TYPES_MASK) != 0) {
+		printf("Ignoring the following runtime EFI regions: %#x\n",
+		    efi_map_regs & ~EFI_ALLOWED_TYPES_MASK);
+		efi_map_regs &= EFI_ALLOWED_TYPES_MASK;
+	}
+
 	for (i = 0, p = map; i < ndesc; i++, p = efi_next_descriptor(p,
 	    descsz)) {
-		if ((p->md_attr & EFI_MD_ATTR_RT) == 0)
+		if ((p->md_attr & EFI_MD_ATTR_RT) == 0 &&
+		    !EFI_MAP_BOOTTYPE_ALLOWED(p->md_type))
 			continue;
 		if (p->md_virt != 0 && p->md_virt != p->md_phys) {
 			if (bootverbose)
diff --git a/sys/amd64/amd64/machdep.c b/sys/amd64/amd64/machdep.c
--- a/sys/amd64/amd64/machdep.c
+++ b/sys/amd64/amd64/machdep.c
@@ -758,6 +758,7 @@
 		printf("%23s %12s %12s %8s %4s\n",
 		    "Type", "Physical", "Virtual", "#Pages", "Attr");
 
+	TUNABLE_INT_FETCH("machdep.efirt.regs", &efi_map_regs);
 	for (i = 0, p = map; i < ndesc; i++,
 	    p = efi_next_descriptor(p, efihdr->descriptor_size)) {
 		if (boothowto & RB_VERBOSE) {
@@ -795,10 +796,13 @@
 		}
 
 		switch (p->md_type) {
-		case EFI_MD_TYPE_CODE:
-		case EFI_MD_TYPE_DATA:
 		case EFI_MD_TYPE_BS_CODE:
 		case EFI_MD_TYPE_BS_DATA:
+			if (EFI_MAP_BOOTTYPE_ALLOWED(p->md_type))
+				continue;
+			/* FALLTHROUGH */
+		case EFI_MD_TYPE_CODE:
+		case EFI_MD_TYPE_DATA:
 		case EFI_MD_TYPE_FREE:
 			/*
 			 * We're allowed to use any entry with these types.
diff --git a/sys/amd64/include/efi.h b/sys/amd64/include/efi.h
--- a/sys/amd64/include/efi.h
+++ b/sys/amd64/include/efi.h
@@ -53,6 +53,10 @@
 #define	EFI_TIME_OWNED()	mtx_assert(&atrtc_time_lock, MA_OWNED)
 
 #define	EFI_RT_HANDLE_FAULTS_DEFAULT	1
+
+#define EFI_MAP_BOOTTYPE_ALLOWED(type) (((efi_map_regs >> (type)) & 1) != 0)
+
+extern uint32_t efi_map_regs;
 #endif
 
 struct efirt_callinfo {