diff --git a/arch/arm64/kvm/hyp/include/nvhe/pkvm.h b/arch/arm64/kvm/hyp/include/nvhe/pkvm.h
index c373844cea79..5c0c9a0e1097 100644
--- a/arch/arm64/kvm/hyp/include/nvhe/pkvm.h
+++ b/arch/arm64/kvm/hyp/include/nvhe/pkvm.h
@@ -12,6 +12,13 @@
 #include <nvhe/gfp.h>
 #include <nvhe/spinlock.h>
 
+/*
+ * Misconfiguration events that can undermine pKVM security.
+ */
+enum pkvm_system_misconfiguration {
+	NO_DMA_ISOLATION,
+};
+
 /*
  * Holds the relevant data for maintaining the vcpu state completely at hyp.
  */
@@ -146,4 +153,9 @@ int pkvm_load_pvmfw_pages(struct pkvm_hyp_vm *vm, u64 ipa, phys_addr_t phys,
 			  u64 size);
 void pkvm_poison_pvmfw_pages(void);
 
+/*
+ * Notify pKVM about events that can undermine pKVM security.
+ */
+void pkvm_handle_system_misconfiguration(enum pkvm_system_misconfiguration event);
+
 #endif /* __ARM64_KVM_NVHE_PKVM_H__ */
diff --git a/arch/arm64/kvm/hyp/nvhe/pkvm.c b/arch/arm64/kvm/hyp/nvhe/pkvm.c
index f160bc4306a5..4c649db27ddf 100644
--- a/arch/arm64/kvm/hyp/nvhe/pkvm.c
+++ b/arch/arm64/kvm/hyp/nvhe/pkvm.c
@@ -1524,3 +1524,14 @@ bool kvm_hyp_handle_hvc64(struct kvm_vcpu *vcpu, u64 *exit_code)
 
 	return false;
 }
+
+/*
+ * Notify pKVM about events that can undermine pKVM security.
+ */
+void pkvm_handle_system_misconfiguration(enum pkvm_system_misconfiguration event)
+{
+	if (event == NO_DMA_ISOLATION)
+		pkvm_poison_pvmfw_pages();
+	else
+		BUG();
+}