diff --git a/proxyclient/experiments/pmp_init.py b/proxyclient/experiments/pmp_init.py
new file mode 100644
index 000000000..d766873de
--- /dev/null
+++ b/proxyclient/experiments/pmp_init.py
@@ -0,0 +1,276 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: MIT
+import sys, pathlib
+sys.path.append(str(pathlib.Path(__file__).resolve().parents[1]))
+
+import struct
+from construct import *
+from copy import deepcopy
+from m1n1.setup import *
+from m1n1.shell import run_shell
+from m1n1.fw.asc import StandardASC
+from m1n1.fw.asc.base import ASCBaseEndpoint, msg_handler
+from m1n1.utils import *
+from m1n1.hw.dart import DART
+
+def round_up(x, y): return ((x + (y - 1)) & (-y))
+def round_down(x, y): return (x - (x % y))
+
+AOPBootargsItem = Struct(
+    "key" / PaddedString(4, "utf8"),
+    "size" / Int32ul,
+)
+
+class AOPBootargs:
+    def __init__(self, bytes_):
+        self.blob = bytearray(bytes_)
+        self.index = self.build_index(self.blob)
+
+    def build_index(self, blob):
+        off = 0
+        fields = []
+        while off < len(blob):
+            item = AOPBootargsItem.parse(blob[off:off+AOPBootargsItem.sizeof()])
+            off += AOPBootargsItem.sizeof()
+            fields.append((item.key, (off, item.size)))
+            off += item.size
+        if off > len(blob):
+            raise ValueError('blob overran during parsing')
+        return dict(fields)
+
+    def items(self):
+        for key, span in self.index.items():
+            off, length = span
+            yield key, self.blob[off:off + length]
+
+    def __getitem__(self, key):
+        off, length = self.index[key]
+        return bytes(self.blob[off:off + length])
+
+    def __setitem__(self, key, value):
+        off, length = self.index[key]
+        if type(value) is int:
+            value = int.to_bytes(value, length, byteorder='little')
+        elif type(value) is str:
+            value = value.encode('ascii')
+        if len(value) > length:
+            raise ValueError(f'field {key:s} overflown')
+        self.blob[off:off + length] = value
+
+    def update(self, keyvals):
+        for key, val in keyvals.items():
+            self[key] = val
+
+    def keys(self):
+        return self.index.keys()
+
+    def dump(self, logger):
+        for key, val in self.items():
+            logger(f"{key:4s} = {val}")
+
+    def dump_diff(self, other, logger):
+        assert self.index == other.index
+        for key in self.keys():
+            if self[key] != other[key]:
+                logger(f"\t{key:4s} = {self[key]} -> {other[key]}")
+
+    def to_bytes(self):
+        return bytes(self.blob)
+
+class AOPBase:
+    def __init__(self, u):
+        self.u = u
+        self.nub_base = u.adt["/arm-io/pmp/iop-pmp-nub"].region_base
+
+    @property
+    def _bootargs_span(self):
+        """
+        [cpu1] MMIO: R.4   0x24ac0022c (aop[2], offset 0x22c) = 0xaffd8 // offset
+        [cpu1] MMIO: R.4   0x24ac00230 (aop[2], offset 0x230) = 0x2ae // size
+        [cpu1] MMIO: R.4   0x24ac00234 (aop[2], offset 0x234) = 0x82000 // va? low
+        [cpu1] MMIO: R.4   0x24ac00238 (aop[2], offset 0x238) = 0x0 // va? high
+        [cpu1] MMIO: R.4   0x24ac0023c (aop[2], offset 0x23c) = 0x4ac82000 // phys low
+        [cpu1] MMIO: R.4   0x24ac00240 (aop[2], offset 0x240) = 0x2 // phys high
+        [cpu1] MMIO: W.4   0x24acaffd8 (aop[2], offset 0xaffd8) = 0x53544b47 // start of bootargs
+        [cpu1] MMIO: W.4   0x24acaffdc (aop[2], offset 0xaffdc) = 0x8
+        [cpu1] MMIO: W.4   0x24acaffe0 (aop[2], offset 0xaffe0) = 0x73eed2a3
+        ...
+        [cpu1] MMIO: W.4   0x24acb0280 (aop[2], offset 0xb0280) = 0x10000
+        [cpu1] MMIO: W.4   0x24acb0284 (aop[2], offset 0xb0284) = 0x0 // end of bootargs
+        """
+        offset = self.u.proxy.read32(self.nub_base + 0x22c) # 0x224 in 12.3
+        size = self.u.proxy.read32(self.nub_base + 0x230) # 0x228 in 12.3
+        return (self.nub_base + offset, size)
+
+    def read_bootargs(self):
+        addr, size = self._bootargs_span
+        blob = self.u.proxy.iface.readmem(addr, size)
+        return AOPBootargs(blob)
+
+    def write_bootargs(self, args):
+        base, _ = self._bootargs_span
+        self.u.proxy.iface.writemem(base, args.to_bytes())
+
+    def update_bootargs(self, keyval, logger=print):
+        args = self.read_bootargs()
+        old = deepcopy(args)
+        args.update(keyval)
+        self.write_bootargs(args)
+        old.dump_diff(args, logger)
+
+class PMPMessage(Register64):
+    TYPE = 56, 48
+
+class PMPMessage_IOVATableAck(PMPMessage):
+    TYPE = 56, 48, Constant(0x11)
+    IOVA = 47, 0
+
+class PMPMessage_Malloc(PMPMessage):
+    TYPE = 56, 48, Constant(0x12)
+    SIZE = 23, 0
+
+class PMPMessage_MallocAck(PMPMessage):
+    TYPE = 56, 48, Constant(0x13)
+    IOVA = 47, 0
+
+class PMPMessage_Free(PMPMessage):
+    TYPE = 56, 48, Constant(0x14)
+    IOVA = 47, 0
+
+class PMPMessage_SetBuf(PMPMessage):
+    TYPE = 56, 48, Constant(0x30)
+    IOVA = 47, 0
+
+class PMPMessage_Advertise(PMPMessage):
+    TYPE = 56, 48, Constant(0x32)
+    IOVA = 47, 0
+
+class PMPMessage_AdvertiseAck(PMPMessage):
+    TYPE = 56, 48, Constant(0x33)
+    INDEX = 47, 32
+    SIZE = 31, 0
+
+class PMPMessage_SetVal(PMPMessage):
+    TYPE = 56, 48, Constant(0x34)
+    INDEX = 15, 0
+
+class PMPMessage_SetValAck(PMPMessage):
+    TYPE = 56, 48, Constant(0x35)
+    SIZE = 31, 0
+
+class PMPEp(ASCBaseEndpoint):
+    BASE_MESSAGE = PMPMessage
+    SHORT = "pmp"
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.allocs = {}
+        self.ioregs = []
+
+    @msg_handler(0x10, PMPMessage)
+    def GetIOVATable(self, msg):
+        self.log(f'IovaTable: {msg}')
+        table, table_dva = self.asc.ioalloc(512)
+        self.asc.iowrite(table_dva, b'\0' * 512)
+        pio_base = u.adt["/arm-io/dart-pmp"].pio_vm_base
+        granularity = u.adt["/arm-io/dart-pmp"].pio_granularity
+        i = 0
+        for j in range(4, len(u.adt["/arm-io/pmp"].reg)):
+            host_addr, size = u.adt["/arm-io/pmp"].get_reg(j)
+            self.asc.dart.iomap_at(0, pio_base, host_addr, size)
+            self.asc.dart.invalidate_streams(1)
+            self.asc.iowrite(table_dva + 24 * i, struct.pack("<QQQ", host_addr, pio_base, size))
+            pio_base += granularity
+            i += 1
+        self.send(PMPMessage_IOVATableAck(IOVA=table_dva))
+    @msg_handler(0x12, PMPMessage_Malloc)
+    def Malloc(self, msg):
+        self.log(f'Malloc: {msg}')
+        addr, dva = self.asc.ioalloc(msg.SIZE)
+        self.allocs[dva] = addr
+        self.send(PMPMessage_MallocAck(IOVA=dva))
+    @msg_handler(0x14, PMPMessage_Free)
+    def Free(self, msg):
+        self.log(f'Free: {msg}')
+        #i dont think we can
+        self.send(PMPMessage(TYPE=0x15))
+
+    @msg_handler(0x30, PMPMessage_SetBuf)
+    def SetBuf(self, msg):
+        self.log(f'SetBuf: {msg}')
+        self.buf_ptr, _ = struct.unpack("<QQ", self.asc.ioread(msg.IOVA, 16))
+        self.send(PMPMessage(TYPE=0x31))
+    @msg_handler(0x32, PMPMessage_Advertise)
+    def Advertise(self, msg):
+        self.log(f'Advertise: {msg}')
+        data = self.asc.ioread(msg.IOVA, 0x50)
+        name = data[:0x30] + b'\0'
+        size = struct.unpack("<I", data[0x40:0x44])[0]
+        if size == 0:
+            i = 0
+            print(name)
+            while name[i] != 0:
+                i += 1
+            name = name[:i].decode()
+            self.log(f"Reading prop {name}")
+            data = getattr(u.adt["/arm-io/pmp/iop-pmp-nub"], name, None)
+            if data is None:
+                self.log("unknown property")
+                size = 0
+            else:
+                if isinstance(data, int):
+                    if data > 0xffffffff:
+                        data = struct.pack("<Q", data)
+                    else:
+                        data = struct.pack("<I", data)
+                self.asc.iowrite(self.buf_ptr, data)
+                size = len(data)
+        self.ioregs.append(size)
+        index = len(self.ioregs)
+        self.send(PMPMessage_AdvertiseAck(INDEX=index, SIZE=size))
+
+    @msg_handler(0x34, PMPMessage_SetVal)
+    def SetVal(self, msg):
+        self.log(f'SetVal: {msg}')
+        self.send(PMPMessage_SetValAck(SIZE=self.ioregs[msg.INDEX]))
+
+
+class PMPClient(StandardASC, AOPBase):
+    ENDPOINTS = {0x20: PMPEp}
+    def __init__(self, u, dev_path, dart=None):
+        node = u.adt[dev_path]
+        asc_base = node.get_reg(0)[0]
+        AOPBase.__init__(self, u)
+        super().__init__(u, asc_base, dart)
+        self.dart = dart
+
+if u.adt['/arm-io'].compatible[0].startswith('arm-io,t8103'):
+    print("you have a pmp v1, this script is for v2 only")
+    exit(1)
+elif u.adt['/arm-io'].compatible[0].startswith('arm-io,t600'):
+    p.write64(0x28e3d07c0, 0x1000)
+elif u.adt['/arm-io'].compatible[0].startswith('arm-io,t602'):
+    p.write64(0x28e3d1000, 0x2000)
+elif u.adt['/arm-io'].compatible[0].startswith('arm-io,t8112'):
+    p.write64(0x23b3d0500, 0x80)
+else:
+    print("FIXME: put the correct SOC-DEV-PS-REQ offset for your machine here")
+    exit(1)
+
+dart = DART.from_adt(u, "/arm-io/dart-pmp")
+dart.verbose = 1
+dart.initialize()
+
+pmp = PMPClient(u, "/arm-io/pmp", dart)
+pmp.verbose = 4
+pmp.update_bootargs({
+     'BDID'[::-1]: u.adt['/chosen'].board_id,
+     'DCAP'[::-1]: u.adt["/arm-io/pmp/iop-pmp-nub"].dram_capacity,
+     'DVID'[::-1]: u.adt['/chosen'].dram_vendor_id,
+})
+p.dapf_init_all()
+
+pmp.start()
+pmp.start_ep(0x20)
+pmp.work_for(10)
+
+run_shell(locals(), poll_func=pmp.work)
diff --git a/proxyclient/hv/trace_pmp.py b/proxyclient/hv/trace_pmp.py
new file mode 100644
index 000000000..7487b786a
--- /dev/null
+++ b/proxyclient/hv/trace_pmp.py
@@ -0,0 +1,177 @@
+from m1n1.trace import Tracer
+from m1n1.trace.dart import DARTTracer
+from m1n1.trace.asc import ASCTracer, EP, EPState, msg, msg_log, DIR, EPContainer
+from m1n1.utils import *
+from m1n1.constructutils import *
+from m1n1.proxyutils import RegMonitor
+
+import sys
+import struct
+
+iomon = RegMonitor(hv.u, ascii=True)
+iomon_args = RegMonitor(hv.u, ascii=True)
+
+class PMPMessage(Register64):
+    TYPE = 56, 48
+
+class PMPMessage_IOVATableAck(PMPMessage):
+    TYPE = 56, 48, Constant(0x11)
+    IOVA = 47, 0
+
+class PMPMessage_Malloc(PMPMessage):
+    TYPE = 56, 48, Constant(0x12)
+    SIZE = 23, 0
+
+class PMPMessage_MallocAck(PMPMessage):
+    TYPE = 56, 48, Constant(0x13)
+    IOVA = 47, 0
+
+class PMPMessage_Free(PMPMessage):
+    TYPE = 56, 48, Constant(0x14)
+    IOVA = 47, 0
+
+class PMPMessage_SetBuf(PMPMessage):
+    TYPE = 56, 48, Constant(0x30)
+    IOVA = 47, 0
+
+class PMPMessage_Advertise(PMPMessage):
+    TYPE = 56, 48, Constant(0x32)
+    IOVA = 47, 0
+
+class PMPMessage_AdvertiseAck(PMPMessage):
+    TYPE = 56, 48, Constant(0x33)
+    INDEX = 47, 32
+    SIZE = 31, 0
+
+class PMPMessage_SetVal(PMPMessage):
+    TYPE = 56, 48, Constant(0x34)
+    INDEX = 15, 0
+
+class PMPMessage_SetValAck(PMPMessage):
+    TYPE = 56, 48, Constant(0x35)
+    SIZE = 31, 0
+
+class PMPEp(EP):
+    BASE_MESSAGE = PMPMessage
+
+    GetIOVATable = msg_log(0x10, DIR.RX)
+
+    @msg(0x11, DIR.TX, PMPMessage_IOVATableAck)
+    def GetIOVATableAck(self, msg):
+        ptr = msg.IOVA
+        lines = []
+        self.tracer.dart.invalidate_cache()
+        while 1:
+            host, periph, size = struct.unpack("<QQQ", self.tracer.ioread(ptr, 24))
+            if host == 0:
+                break
+            ptr += 24
+            lines.append(f'Host: {host:x}, Peripheral: {periph:x}, Size: {size:x}')
+        self.log('IO Mapping table:\n' + '\n'.join(lines))
+
+    Malloc = msg_log(0x12, DIR.RX, PMPMessage_Malloc)
+    MallocAck = msg_log(0x13, DIR.TX, PMPMessage_MallocAck)
+    Free = msg_log(0x14, DIR.RX, PMPMessage_Free)
+    FreeAck = msg_log(0x15, DIR.TX)
+
+    @msg(0x30, DIR.RX, PMPMessage_SetBuf)
+    def SetBuf(self, msg):
+        self.log(f'SetBuf: {msg}')
+        self.tracer.dart.invalidate_cache()
+        self.buf_ptr, _ = struct.unpack("<QQ", self.tracer.ioread(msg.IOVA, 16))
+        iomon.add(self.buf_ptr, 4096)
+
+    SetBufAck = msg_log(0x31, DIR.TX, PMPMessage)
+
+    @msg(0x32, DIR.RX, PMPMessage_Advertise)
+    def Advertise(self, msg):
+        self.tracer.dart.invalidate_cache()
+        self.log("Descriptor:")
+        data = self.tracer.ioread(msg.IOVA, 0x50)
+        chexdump(data, print_fn=self.log)
+        self.adv_size = struct.unpack("<I", data[0x40:0x44])[0]
+
+    @msg(0x33, DIR.TX, PMPMessage_AdvertiseAck)
+    def AdvertiseAck(self, msg):
+        if self.adv_size == 0:
+            iomon.poll()
+
+
+
+    @msg(0x34, DIR.RX, PMPMessage_SetVal)
+    def SetVal(self, msg):
+        chexdump(self.tracer.ioread(self.buf_ptr, 0x50), print_fn=self.log)
+
+    SetValAck = msg_log(0x35, DIR.TX, PMPMessage_SetValAck)
+
+class PMPTracer(ASCTracer):
+    ENDPOINTS = {0x20: PMPEp}
+
+    def w_CPU_CONTROL(self, val):
+        iomon_args.poll()
+        super().w_CPU_CONTROL(val)
+
+dart_pmp_tracer = DARTTracer(hv, "/arm-io/dart-pmp", verbose=4)
+dart_pmp_tracer.start()
+
+pmp_tracer = PMPTracer(hv, "/arm-io/pmp", verbose=1)
+pmp_tracer.start(dart_pmp_tracer.dart)
+
+def readmem_iova(addr, size, readfn=None):
+    try:
+        return dart_pmp_tracer.dart.ioread(0, addr, size)
+    except Exception as e:
+        print(e)
+        return None
+
+iomon.readmem = readmem_iova
+def readmem_phys(addr, size, readfn=None):
+    return hv.iface.readmem(addr, size)
+iomon_args.readmem = readmem_phys
+#iomon_args.add(*u.adt["/arm-io/pmp"].get_reg(2))
+#iomon_args.poll()
+
+pmp_ptd_range = u.adt['/arm-io/pmp/iop-pmp-nub'].ptd_range
+pmp_ptd_range_map = {}
+for i in range(len(pmp_ptd_range) // 32):
+    id, offset, _, name = struct.unpack('<II8s16s', pmp_ptd_range[i*32:(i+1)*32])
+    pmp_ptd_range_map[name.strip(b'\x00')] = offset
+
+class R_PmpStatus(Register64):
+    READY = 0
+
+pmp_bits = {dev.name:(dev.id1 - 1) for dev in u.adt['/arm-io/pmgr'].devices if dev.flags.notify_pmp}
+print(pmp_bits)
+
+R_StatusMap = type('R_StatusMap', (Register64,), pmp_bits)
+
+class PMPRegs(RegMap):
+    DEV_STATUS_TGT_RD = (pmp_ptd_range_map[b'SOC-DEV-PS-REQ'] * 16), R_StatusMap
+    DEV_STATUS_TGT_UNK = (pmp_ptd_range_map[b'SOC-DEV-PS-REQ'] * 16 + 8), Register64
+    DEV_STATUS_TGT_WR = (pmp_ptd_range_map[b'SOC-DEV-PS-REQ'] * 8 + 0x10000), R_StatusMap
+    DEV_STATUS_ACT = (pmp_ptd_range_map[b'SOC-DEV-PS-ACK'] * 16), R_StatusMap
+    DEV_STATUS_ACT_UNK = (pmp_ptd_range_map[b'SOC-DEV-PS-ACK'] * 16 + 8), Register64
+    PMP_STATUS = (pmp_ptd_range_map[b'PMP-STATUS'] * 16), R_PmpStatus
+    PMP_STATUS_UNK = (pmp_ptd_range_map[b'PMP-STATUS'] * 16 + 8), Register64
+
+
+class PMPRegTracer(Tracer):
+
+    def start(self):
+        start, len = u.adt['/arm-io/pmgr'].get_reg(41)
+        #self.trace(start, len, TraceMode.HOOK)
+        self.trace_regmap(start, len, PMPRegs, name="PMP", regmap_offset=0, mode=TraceMode.SYNC)
+    def hook_w(self, addr, val, width, **kwargs):
+        self.hv.log(f"PMP: W {addr:#x} <- {val:#x}")
+        super().hook_w(addr, val, width, **kwargs)
+    def hook_r(self, addr, width, **kwargs):
+        val = super().hook_r(addr, width, **kwargs)
+        self.hv.log(f"PMP: R {addr:#x} = {val:#x}")
+        return val
+    def evt_rw(self, *args, **kwargs):
+        super().evt_rw(*args, **kwargs)
+
+
+rt = PMPRegTracer(hv)
+rt.verbose = 4
+rt.start()
diff --git a/proxyclient/tools/pmp_assist.py b/proxyclient/tools/pmp_assist.py
new file mode 100755
index 000000000..a0dcbcbb3
--- /dev/null
+++ b/proxyclient/tools/pmp_assist.py
@@ -0,0 +1,36 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: MIT
+import sys, pathlib
+import serial
+import struct
+sys.path.append(str(pathlib.Path(__file__).resolve().parents[1]))
+
+import argparse, pathlib
+
+from m1n1 import adt
+
+parser = argparse.ArgumentParser(description='PMP device tree helper')
+parser.add_argument('input', type=pathlib.Path)
+args = parser.parse_args()
+
+adt_data = args.input.read_bytes()
+dt = adt.load_adt(adt_data)
+
+
+pmp_ptd_range = dt['/arm-io/pmp/iop-pmp-nub'].ptd_range
+pmp_ptd_range_map = {}
+for i in range(len(pmp_ptd_range) // 32):
+    id, offset, _, name = struct.unpack('<II8s16s', pmp_ptd_range[i*32:(i+1)*32])
+    pmp_ptd_range_map[name.strip(b'\x00')] = offset
+
+print("DEV_STATUS_TGT_RD:", hex(pmp_ptd_range_map[b'SOC-DEV-PS-REQ'] * 16))
+print("DEV_STATUS_TGT_WR:", hex(pmp_ptd_range_map[b'SOC-DEV-PS-REQ'] * 8 + 0x10000))
+print("DEV_STATUS_ACT:", hex(pmp_ptd_range_map[b'SOC-DEV-PS-ACK'] * 16))
+print("PMP_STATUS:", hex(pmp_ptd_range_map[b'PMP-STATUS'] * 16))
+print()
+
+
+pmp_bits = [(dev.name, dev.id1 - 1) for dev in dt['/arm-io/pmgr'].devices if dev.flags.notify_pmp]
+pmp_bits.sort(key=lambda x: x[1])
+for n, b in pmp_bits:
+    print(n + ': ' + hex(b))
diff --git a/rust/src/adt.rs b/rust/src/adt.rs
index 3c2680d14..3b1e718bb 100644
--- a/rust/src/adt.rs
+++ b/rust/src/adt.rs
@@ -655,6 +655,21 @@ pub unsafe extern "C" fn adt_first_property_offset(_dt: *const c_void, offset: c
     unsafe { p.sub(adt as usize) as c_int }
 }
 
+// This function has load-bearing UB on the C side... The sound Rust equivalent
+// breaks this. Recreate the UB here rather than call the new Rust function.
+#[no_mangle]
+pub unsafe extern "C" fn adt_next_property_offset(_dt: *const c_void, offset: c_int) -> c_int {
+    let ptr: usize = unsafe { adt.add(offset as usize) as usize };
+    let p = ADTProperty::from_ptr(ptr).unwrap();
+    unsafe {
+        p.as_ptr()
+            .add(size_of::<[c_char; 32]>())
+            .add(size_of::<u32>())
+            .add((p.size as usize + (ADT_ALIGN - 1)) & !(ADT_ALIGN - 1))
+            .sub(adt as usize) as c_int
+    }
+}
+
 #[no_mangle]
 pub unsafe extern "C" fn adt_first_child_offset(_dt: *const c_void, offset: c_int) -> c_int {
     let ptr: *const ADTNode = unsafe { adt.add(offset as usize) as *const ADTNode };
diff --git a/src/adt.h b/src/adt.h
index d963703ed..6bea107d0 100644
--- a/src/adt.h
+++ b/src/adt.h
@@ -18,6 +18,8 @@ struct adt_node_hdr {
     u32 child_count;
 };
 
+#define ADT_PROP(adt, offset) ((const struct adt_property *)(((u8 *)(adt)) + (offset)))
+
 /* This API is designed to match libfdt's read-only API */
 
 /* Required for Rust until we move xnuboot across */
@@ -30,6 +32,8 @@ int adt_get_property_count(const void *adt, int offset);
 
 int adt_first_property_offset(const void *adt, int offset);
 
+int adt_next_property_offset(const void *adt, int offset);
+
 const struct adt_property *adt_get_property_by_offset(const void *adt, int offset);
 
 int adt_get_child_count(const void *adt, int offset);
@@ -63,6 +67,13 @@ bool adt_is_compatible_at(const void *adt, int nodeoffset, const char *compat, s
         for (node = adt_first_child_offset(adt, node); _child_count--;                             \
              node = adt_next_sibling_offset(adt, node))
 
+#define ADT_FOREACH_PROPERTY(adt, node, prop)                                                      \
+    for (int _prop_count = adt_get_property_count(adt, node),                                      \
+             _poff = adt_first_property_offset(adt, node);                                         \
+         _prop_count; _prop_count = 0)                                                             \
+        for (const struct adt_property *prop = ADT_PROP(adt, _poff); _prop_count--;                \
+             prop = ADT_PROP(adt, _poff = adt_next_property_offset(adt, _poff)))
+
 /* Common ADT properties */
 struct adt_segment_ranges {
     u64 phys;
diff --git a/src/kboot.c b/src/kboot.c
index 19fef6f73..15232a2c6 100644
--- a/src/kboot.c
+++ b/src/kboot.c
@@ -1984,6 +1984,55 @@ static int dt_set_display(void)
         return dt_vram_reserved_region("dcp", "disp0");
 }
 
+static const char *excluded_pmp_props[] = {
+    "compatible",    "AAPL,phandle",    "region-base", "region-size",
+    "segment-names", "segment-ranges",  "pre-loaded",  "firmware-name",
+    "dram-capacity", "coredump-enable", NULL,
+};
+
+static int dt_set_pmp(void)
+{
+    int chosen_anode = adt_path_offset(adt, "/chosen");
+    if (chosen_anode < 0)
+        bail("ADT: /chosen not found \n");
+    int pmp_iop_anode = adt_path_offset(adt, "/arm-io/pmp/iop-pmp-nub");
+    if (pmp_iop_anode < 0)
+        bail("ADT: /arm-io/pmp/iop-pmp-nub not found \n");
+
+    u32 board_id, dram_vendor_id, dram_capacity;
+    if (ADT_GETPROP(adt, chosen_anode, "board-id", &board_id) < 0)
+        bail("ADT: failed to get board id\n");
+    if (ADT_GETPROP(adt, chosen_anode, "dram-vendor-id", &dram_vendor_id) < 0)
+        bail("ADT: failed to get dram vendor id\n");
+    if (ADT_GETPROP(adt, pmp_iop_anode, "dram-capacity", &dram_capacity) < 0)
+        bail("ADT: failed to get dram capacity\n");
+
+    int pmp_node = fdt_path_offset(dt, "pmp");
+    if (pmp_node < 0)
+        bail("FDT: pmp not not found in devtree\n");
+    if (fdt_setprop_u32(dt, pmp_node, "apple,board-id", board_id))
+        bail("FDT: failed to set board id\n");
+    if (fdt_setprop_u32(dt, pmp_node, "apple,dram-vendor-id", dram_vendor_id))
+        bail("FDT: failed to set dram vendor id\n");
+    if (fdt_setprop_u32(dt, pmp_node, "apple,dram-capacity", dram_capacity))
+        bail("FDT: failed to set dram capacity\n");
+
+    int tunables_node = fdt_subnode_offset(dt, pmp_node, "tunables");
+    if (tunables_node < 0)
+        bail("FDT: pmp tunables not not found in devtree\n");
+
+    ADT_FOREACH_PROPERTY(adt, pmp_iop_anode, prop)
+    {
+        for (int i = 0; excluded_pmp_props[i]; i++)
+            if (!strcmp(prop->name, excluded_pmp_props[i]))
+                goto next_adt_prop;
+        if (fdt_setprop(dt, tunables_node, prop->name, prop->value, prop->size))
+            bail("FDT: failed to transfer pmp tunable");
+    next_adt_prop:;
+    }
+    return 0;
+}
+
 static int dt_set_sep(void)
 {
     const char *path = fdt_get_alias(dt, "sep");
@@ -2685,6 +2734,8 @@ int kboot_prepare_dt(void *fdt)
         return -1;
     if (dt_set_sep())
         return -1;
+    if (dt_set_pmp())
+        return -1;
     if (dt_set_nvram())
         return -1;
     if (dt_set_ipd())