diff --git a/qemu/aarch64.h b/qemu/aarch64.h
index f69327a5..9a415407 100644
--- a/qemu/aarch64.h
+++ b/qemu/aarch64.h
@@ -3479,6 +3479,7 @@
 #define gen_ushl_i32 gen_ushl_i32_aarch64
 #define gen_ushl_i64 gen_ushl_i64_aarch64
 #define pmu_init pmu_init_aarch64
+#define helper_addsubg helper_addsubg_aarch64
 #define helper_advsimd_acge_f16 helper_advsimd_acge_f16_aarch64
 #define helper_advsimd_acgt_f16 helper_advsimd_acgt_f16_aarch64
 #define helper_advsimd_add2h helper_advsimd_add2h_aarch64
diff --git a/qemu/aarch64eb.h b/qemu/aarch64eb.h
index 8e1984e7..6e98f71c 100644
--- a/qemu/aarch64eb.h
+++ b/qemu/aarch64eb.h
@@ -3479,6 +3479,7 @@
 #define gen_ushl_i32 gen_ushl_i32_aarch64eb
 #define gen_ushl_i64 gen_ushl_i64_aarch64eb
 #define pmu_init pmu_init_aarch64eb
+#define helper_addsubg helper_addsubg_aarch64eb
 #define helper_advsimd_acge_f16 helper_advsimd_acge_f16_aarch64eb
 #define helper_advsimd_acgt_f16 helper_advsimd_acgt_f16_aarch64eb
 #define helper_advsimd_add2h helper_advsimd_add2h_aarch64eb
diff --git a/qemu/header_gen.py b/qemu/header_gen.py
index 43068a03..3b3579bf 100644
--- a/qemu/header_gen.py
+++ b/qemu/header_gen.py
@@ -3613,6 +3613,7 @@ aarch64_symbols = (
     'gen_ushl_i32',
     'gen_ushl_i64',
     'pmu_init',
+    'helper_addsubg',
     'helper_advsimd_acge_f16',
     'helper_advsimd_acgt_f16',
     'helper_advsimd_add2h',
diff --git a/qemu/target/arm/helper-a64.h b/qemu/target/arm/helper-a64.h
index 086e4415..e3fb1928 100644
--- a/qemu/target/arm/helper-a64.h
+++ b/qemu/target/arm/helper-a64.h
@@ -104,4 +104,5 @@ DEF_HELPER_FLAGS_3(autdb, TCG_CALL_NO_WG, i64, env, i64, i64)
 DEF_HELPER_FLAGS_2(xpaci, TCG_CALL_NO_RWG_SE, i64, env, i64)
 DEF_HELPER_FLAGS_2(xpacd, TCG_CALL_NO_RWG_SE, i64, env, i64)
 
-DEF_HELPER_FLAGS_3(irg, TCG_CALL_NO_RWG, i64, env, i64, i64)
\ No newline at end of file
+DEF_HELPER_FLAGS_3(irg, TCG_CALL_NO_RWG, i64, env, i64, i64)
+DEF_HELPER_FLAGS_4(addsubg, TCG_CALL_NO_RWG_SE, i64, env, i64, s32, i32)
\ No newline at end of file
diff --git a/qemu/target/arm/internals.h b/qemu/target/arm/internals.h
index e5320b4e..9eaf8715 100644
--- a/qemu/target/arm/internals.h
+++ b/qemu/target/arm/internals.h
@@ -1265,6 +1265,15 @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
  */
 #define GMID_EL1_BS  6
 
+/* We associate one allocation tag per 16 bytes, the minimum.  */
+#define LOG2_TAG_GRANULE 4
+#define TAG_GRANULE      (1 << LOG2_TAG_GRANULE)
+
+static inline int allocation_tag_from_addr(uint64_t ptr)
+{
+    return extract64(ptr, 56, 4);
+}
+
 static inline uint64_t address_with_allocation_tag(uint64_t ptr, int rtag)
 {
     return deposit64(ptr, 56, 4, rtag);
diff --git a/qemu/target/arm/translate-a64.c b/qemu/target/arm/translate-a64.c
index 09b1beb1..38fbb958 100644
--- a/qemu/target/arm/translate-a64.c
+++ b/qemu/target/arm/translate-a64.c
@@ -4004,6 +4004,55 @@ static void disas_add_sub_imm(DisasContext *s, uint32_t insn)
     tcg_temp_free_i64(tcg_ctx, tcg_result);
 }
 
+/*
+ * Add/subtract (immediate, with tags)
+ *
+ *  31 30 29 28         23 22 21     16 14      10 9   5 4   0
+ * +--+--+--+-------------+--+---------+--+-------+-----+-----+
+ * |sf|op| S| 1 0 0 0 1 1 |o2|  uimm6  |o3| uimm4 |  Rn | Rd  |
+ * +--+--+--+-------------+--+---------+--+-------+-----+-----+
+ *
+ *    op: 0 -> add, 1 -> sub
+ */
+static void disas_add_sub_imm_with_tags(DisasContext *s, uint32_t insn)
+{
+    TCGContext *tcg_ctx = s->uc->tcg_ctx;
+    int rd = extract32(insn, 0, 5);
+    int rn = extract32(insn, 5, 5);
+    int uimm4 = extract32(insn, 10, 4);
+    int uimm6 = extract32(insn, 16, 6);
+    bool sub_op = extract32(insn, 30, 1);
+    TCGv_i64 tcg_rn, tcg_rd;
+    int imm;
+
+    /* Test all of sf=1, S=0, o2=0, o3=0.  */
+    if ((insn & 0xa040c000u) != 0x80000000u ||
+        !dc_isar_feature(aa64_mte_insn_reg, s)) {
+        unallocated_encoding(s);
+        return;
+    }
+
+    imm = uimm6 << LOG2_TAG_GRANULE;
+    if (sub_op) {
+        imm = -imm;
+    }
+
+    tcg_rn = cpu_reg_sp(s, rn);
+    tcg_rd = cpu_reg_sp(s, rd);
+
+    if (s->ata) {
+        TCGv_i32 offset = tcg_const_i32(tcg_ctx, imm);
+        TCGv_i32 tag_offset = tcg_const_i32(tcg_ctx, uimm4);
+
+        gen_helper_addsubg(tcg_ctx, tcg_rd, tcg_ctx->cpu_env, tcg_rn, offset, tag_offset);
+        tcg_temp_free_i32(tcg_ctx, tag_offset);
+        tcg_temp_free_i32(tcg_ctx, offset);
+    } else {
+        tcg_gen_addi_i64(tcg_ctx, tcg_rd, tcg_rn, imm);
+        gen_address_with_allocation_tag0(tcg_ctx, tcg_rd, tcg_rd);
+    }
+}
+
 /* The input should be a value in the bottom e bits (with higher
  * bits zero); returns that value replicated into every element
  * of size e in a 64 bit integer.
@@ -4370,6 +4419,9 @@ static void disas_data_proc_imm(DisasContext *s, uint32_t insn)
     case 0x22: /* Add/subtract (immediate) */
         disas_add_sub_imm(s, insn);
         break;
+    case 0x23: /* Add/subtract (immediate, with tags) */
+        disas_add_sub_imm_with_tags(s, insn);
+        break;
     case 0x24: /* Logical (immediate) */
         disas_logic_imm(s, insn);
         break;