diff --git a/qemu/aarch64.h b/qemu/aarch64.h
index cbc777c9..ff94e87f 100644
--- a/qemu/aarch64.h
+++ b/qemu/aarch64.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_aarch64
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_aarch64
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_aarch64
+#define arm_gt_htimer_cb arm_gt_htimer_cb_aarch64
 #define arm_handle_psci_call arm_handle_psci_call_aarch64
 #define arm_is_psci_call arm_is_psci_call_aarch64
 #define arm_is_secure arm_is_secure_aarch64
diff --git a/qemu/aarch64eb.h b/qemu/aarch64eb.h
index 2310c7f4..4c50ea00 100644
--- a/qemu/aarch64eb.h
+++ b/qemu/aarch64eb.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_aarch64eb
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_aarch64eb
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_aarch64eb
+#define arm_gt_htimer_cb arm_gt_htimer_cb_aarch64eb
 #define arm_handle_psci_call arm_handle_psci_call_aarch64eb
 #define arm_is_psci_call arm_is_psci_call_aarch64eb
 #define arm_is_secure arm_is_secure_aarch64eb
diff --git a/qemu/arm.h b/qemu/arm.h
index cf8b9545..656004a9 100644
--- a/qemu/arm.h
+++ b/qemu/arm.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_arm
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_arm
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_arm
+#define arm_gt_htimer_cb arm_gt_htimer_cb_arm
 #define arm_handle_psci_call arm_handle_psci_call_arm
 #define arm_is_psci_call arm_is_psci_call_arm
 #define arm_is_secure arm_is_secure_arm
diff --git a/qemu/armeb.h b/qemu/armeb.h
index 4496c15a..3fd55e57 100644
--- a/qemu/armeb.h
+++ b/qemu/armeb.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_armeb
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_armeb
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_armeb
+#define arm_gt_htimer_cb arm_gt_htimer_cb_armeb
 #define arm_handle_psci_call arm_handle_psci_call_armeb
 #define arm_is_psci_call arm_is_psci_call_armeb
 #define arm_is_secure arm_is_secure_armeb
diff --git a/qemu/header_gen.py b/qemu/header_gen.py
index 11ac4729..429434e0 100644
--- a/qemu/header_gen.py
+++ b/qemu/header_gen.py
@@ -156,6 +156,7 @@ symbols = (
     'arm_gen_test_cc',
     'arm_gt_ptimer_cb',
     'arm_gt_vtimer_cb',
+    'arm_gt_htimer_cb',
     'arm_handle_psci_call',
     'arm_is_psci_call',
     'arm_is_secure',
diff --git a/qemu/m68k.h b/qemu/m68k.h
index 824020b0..becab6eb 100644
--- a/qemu/m68k.h
+++ b/qemu/m68k.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_m68k
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_m68k
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_m68k
+#define arm_gt_htimer_cb arm_gt_htimer_cb_m68k
 #define arm_handle_psci_call arm_handle_psci_call_m68k
 #define arm_is_psci_call arm_is_psci_call_m68k
 #define arm_is_secure arm_is_secure_m68k
diff --git a/qemu/mips.h b/qemu/mips.h
index f35c01ad..159b3265 100644
--- a/qemu/mips.h
+++ b/qemu/mips.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_mips
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_mips
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_mips
+#define arm_gt_htimer_cb arm_gt_htimer_cb_mips
 #define arm_handle_psci_call arm_handle_psci_call_mips
 #define arm_is_psci_call arm_is_psci_call_mips
 #define arm_is_secure arm_is_secure_mips
diff --git a/qemu/mips64.h b/qemu/mips64.h
index 8a0c8c65..b6cacb79 100644
--- a/qemu/mips64.h
+++ b/qemu/mips64.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_mips64
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_mips64
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_mips64
+#define arm_gt_htimer_cb arm_gt_htimer_cb_mips64
 #define arm_handle_psci_call arm_handle_psci_call_mips64
 #define arm_is_psci_call arm_is_psci_call_mips64
 #define arm_is_secure arm_is_secure_mips64
diff --git a/qemu/mips64el.h b/qemu/mips64el.h
index 3e9d13a7..e75670f9 100644
--- a/qemu/mips64el.h
+++ b/qemu/mips64el.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_mips64el
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_mips64el
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_mips64el
+#define arm_gt_htimer_cb arm_gt_htimer_cb_mips64el
 #define arm_handle_psci_call arm_handle_psci_call_mips64el
 #define arm_is_psci_call arm_is_psci_call_mips64el
 #define arm_is_secure arm_is_secure_mips64el
diff --git a/qemu/mipsel.h b/qemu/mipsel.h
index ae03514c..f47acd4a 100644
--- a/qemu/mipsel.h
+++ b/qemu/mipsel.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_mipsel
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_mipsel
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_mipsel
+#define arm_gt_htimer_cb arm_gt_htimer_cb_mipsel
 #define arm_handle_psci_call arm_handle_psci_call_mipsel
 #define arm_is_psci_call arm_is_psci_call_mipsel
 #define arm_is_secure arm_is_secure_mipsel
diff --git a/qemu/powerpc.h b/qemu/powerpc.h
index c480478b..cf2b2f3f 100644
--- a/qemu/powerpc.h
+++ b/qemu/powerpc.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_powerpc
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_powerpc
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_powerpc
+#define arm_gt_htimer_cb arm_gt_htimer_cb_powerpc
 #define arm_handle_psci_call arm_handle_psci_call_powerpc
 #define arm_is_psci_call arm_is_psci_call_powerpc
 #define arm_is_secure arm_is_secure_powerpc
diff --git a/qemu/sparc.h b/qemu/sparc.h
index c62cb60c..ac9ed4ab 100644
--- a/qemu/sparc.h
+++ b/qemu/sparc.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_sparc
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_sparc
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_sparc
+#define arm_gt_htimer_cb arm_gt_htimer_cb_sparc
 #define arm_handle_psci_call arm_handle_psci_call_sparc
 #define arm_is_psci_call arm_is_psci_call_sparc
 #define arm_is_secure arm_is_secure_sparc
diff --git a/qemu/sparc64.h b/qemu/sparc64.h
index e7baf1be..912621e1 100644
--- a/qemu/sparc64.h
+++ b/qemu/sparc64.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_sparc64
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_sparc64
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_sparc64
+#define arm_gt_htimer_cb arm_gt_htimer_cb_sparc64
 #define arm_handle_psci_call arm_handle_psci_call_sparc64
 #define arm_is_psci_call arm_is_psci_call_sparc64
 #define arm_is_secure arm_is_secure_sparc64
diff --git a/qemu/target-arm/cpu-qom.h b/qemu/target-arm/cpu-qom.h
index e16937fe..3faab218 100644
--- a/qemu/target-arm/cpu-qom.h
+++ b/qemu/target-arm/cpu-qom.h
@@ -220,6 +220,7 @@ int arm_cpu_gdb_write_register(CPUState *cpu, uint8_t *buf, int reg);
 /* Callback functions for the generic timer's timers. */
 void arm_gt_ptimer_cb(void *opaque);
 void arm_gt_vtimer_cb(void *opaque);
+void arm_gt_htimer_cb(void *opaque);
 
 #ifdef TARGET_AARCH64
 int aarch64_cpu_gdb_read_register(CPUState *cpu, uint8_t *buf, int reg);
diff --git a/qemu/target-arm/cpu.c b/qemu/target-arm/cpu.c
index 345658d1..fc8fe154 100644
--- a/qemu/target-arm/cpu.c
+++ b/qemu/target-arm/cpu.c
@@ -355,6 +355,8 @@ static void arm_cpu_initfn(struct uc_struct *uc, Object *obj, void *opaque)
                                                 arm_gt_ptimer_cb, cpu);
     cpu->gt_timer[GTIMER_VIRT] = timer_new(QEMU_CLOCK_VIRTUAL, GTIMER_SCALE,
                                                 arm_gt_vtimer_cb, cpu);
+    cpu->gt_timer[GTIMER_HYP] = timer_new(QEMU_CLOCK_VIRTUAL, GTIMER_SCALE,
+                                                arm_gt_htimer_cb, cpu);
     //qdev_init_gpio_out(DEVICE(cpu), cpu->gt_timer_outputs,
     //                   ARRAY_SIZE(cpu->gt_timer_outputs));
 #endif
diff --git a/qemu/target-arm/cpu.h b/qemu/target-arm/cpu.h
index f01a4329..a8d1873b 100644
--- a/qemu/target-arm/cpu.h
+++ b/qemu/target-arm/cpu.h
@@ -117,7 +117,8 @@ typedef struct ARMGenericTimer {
 
 #define GTIMER_PHYS 0
 #define GTIMER_VIRT 1
-#define NUM_GTIMERS 2
+#define GTIMER_HYP  2
+#define NUM_GTIMERS 3
 
 typedef struct {
     uint64_t raw_tcr;
diff --git a/qemu/target-arm/helper.c b/qemu/target-arm/helper.c
index 6c054637..266312eb 100644
--- a/qemu/target-arm/helper.c
+++ b/qemu/target-arm/helper.c
@@ -1236,6 +1236,34 @@ static void gt_cntvoff_write(CPUARMState *env, const ARMCPRegInfo *ri,
     gt_recalc_timer(cpu, GTIMER_VIRT);
 }
 
+static void gt_hyp_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    gt_timer_reset(env, ri, GTIMER_HYP);
+}
+
+static void gt_hyp_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                              uint64_t value)
+{
+    gt_cval_write(env, ri, GTIMER_HYP, value);
+}
+
+static uint64_t gt_hyp_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    return gt_tval_read(env, ri, GTIMER_HYP);
+}
+
+static void gt_hyp_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                              uint64_t value)
+{
+    gt_tval_write(env, ri, GTIMER_HYP, value);
+}
+
+static void gt_hyp_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                              uint64_t value)
+{
+    gt_ctl_write(env, ri, GTIMER_HYP, value);
+}
+
 void arm_gt_ptimer_cb(void *opaque)
 {
     ARMCPU *cpu = opaque;
@@ -1250,6 +1278,13 @@ void arm_gt_vtimer_cb(void *opaque)
     gt_recalc_timer(cpu, GTIMER_VIRT);
 }
 
+void arm_gt_htimer_cb(void *opaque)
+{
+    ARMCPU *cpu = opaque;
+
+    gt_recalc_timer(cpu, GTIMER_HYP);
+}
+
 static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
     /* Note that CNTFRQ is purely reads-as-written for the benefit
      * of software; writing it doesn't actually change the timer frequency.
@@ -2369,6 +2404,14 @@ static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
       PL2_RW, 0, NULL, 0 },
     { "CNTVOFF", 15,0,14, 0,4,0, ARM_CP_64BIT | ARM_CP_CONST, 0,
       PL2_RW, 0, NULL, 0 },
+    { "CNTHP_CVAL_EL2", 0,14,2, 3,4,2, ARM_CP_STATE_AA64, ARM_CP_CONST,
+      PL2_RW, 0, NULL, 0 },
+    { "CNTHP_CVAL", 15,0,14, 0,6,0, 0, ARM_CP_64BIT | ARM_CP_CONST,
+      PL2_RW, 0, NULL, 0 },
+    { "CNTHP_TVAL_EL2", 0,14,2, 3,4,0, ARM_CP_STATE_BOTH, ARM_CP_CONST,
+      PL2_RW, 0, NULL, 0 },
+    { "CNTHP_CTL_EL2", 0,14,2, 3,4,1, ARM_CP_STATE_BOTH, ARM_CP_CONST,
+      PL2_RW, 0, NULL, 0 },
     REGINFO_SENTINEL
 };
 
@@ -2460,6 +2503,18 @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
     { "CNTVOFF", 15,0,14, 0,4,0, 0, ARM_CP_64BIT | ARM_CP_ALIAS | ARM_CP_IO,
       PL2_RW, 0, NULL, 0, offsetof(CPUARMState, cp15.cntvoff_el2), {0, 0},
       NULL, NULL, gt_cntvoff_write },
+    { "CNTHP_CVAL_EL2", 0,14,2, 3,4,2, ARM_CP_STATE_AA64, ARM_CP_IO,
+      PL2_RW, 0, NULL, 0, offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].cval), {0, 0},
+      NULL, NULL, gt_hyp_cval_write, NULL, raw_write },
+    { "CNTHP_CVAL", .15,0,14, 0,6,0, 0, ARM_CP_64BIT | ARM_CP_IO,
+      PL2_RW, 0, NULL, 0, offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].cval), {0, 0},
+      NULL, NULL, gt_hyp_cval_write, NULL, raw_write },
+    { "CNTHP_TVAL_EL2", 0,14,2, 3,4,0, ARM_CP_STATE_BOTH, ARM_CP_IO,
+      PL2_RW, 0, NULL, 0, 0, {0, 0},
+      NULL, gt_hyp_tval_read, gt_hyp_tval_write, NULL, NULL, gt_hyp_timer_reset },
+    { "CNTHP_CTL_EL2", 0,14,2, 3,4,1, ARM_CP_STATE_BOTH, ARM_CP_IO,
+      PL2_RW, 0, NULL, 0, offsetof(CPUARMState, cp15.c14_timer[GTIMER_HYP].ctl), {0, 0},
+      NULL, NULL, gt_hyp_ctl_write, NULL, raw_write },
 #endif
     REGINFO_SENTINEL
 };
diff --git a/qemu/x86_64.h b/qemu/x86_64.h
index 36bc833e..05c947d4 100644
--- a/qemu/x86_64.h
+++ b/qemu/x86_64.h
@@ -150,6 +150,7 @@
 #define arm_gen_test_cc arm_gen_test_cc_x86_64
 #define arm_gt_ptimer_cb arm_gt_ptimer_cb_x86_64
 #define arm_gt_vtimer_cb arm_gt_vtimer_cb_x86_64
+#define arm_gt_htimer_cb arm_gt_htimer_cb_x86_64
 #define arm_handle_psci_call arm_handle_psci_call_x86_64
 #define arm_is_psci_call arm_is_psci_call_x86_64
 #define arm_is_secure arm_is_secure_x86_64