diff --git a/0028-OvmfPkg-MemEncryptSevLib-Check-the-guest-type-before.patch b/0028-OvmfPkg-MemEncryptSevLib-Check-the-guest-type-before.patch
new file mode 100644
index 0000000..4b3dfb3
--- /dev/null
+++ b/0028-OvmfPkg-MemEncryptSevLib-Check-the-guest-type-before.patch
@@ -0,0 +1,230 @@
+From 418ad50beaffaeb4b7b25d86b935f122f1740ebd Mon Sep 17 00:00:00 2001
+From: Brijesh Singh <brijesh.singh@amd.com>
+Date: Wed, 1 Dec 2021 10:24:07 -0600
+Subject: [PATCH 1/1] OvmfPkg/MemEncryptSevLib: Check the guest type before
+ EsWorkarea access
+
+The commit 80e67af9afca added support for a generic workarea concept.
+The workarea header contains the information of the guest type. The
+header is populated by ResetVector code during the guest detection.
+
+Currently, the InternalMemEncryptSevStatus() reads the EsWorkArea to
+determine the C-bit position. The EsWorkArea PCD is valid only for the
+SEV guest type. Add a check of the guest type before accessing the
+EsWorkArea PCD.
+
+Fixes: 80e67af9afca ("OvmfPkg: introduce a common work area")
+Cc: James Bottomley <jejb@linux.ibm.com>
+Cc: Min Xu <min.m.xu@intel.com>
+Cc: Jiewen Yao <jiewen.yao@intel.com>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Jordan Justen <jordan.l.justen@intel.com>
+Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
+Cc: Erdem Aktas <erdemaktas@google.com>
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Cc: Qi Zhou <atmgnd@outlook.com>
+Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
+Message-Id: <20211201162407.3323063-1-brijesh.singh@amd.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ .../DxeMemEncryptSevLib.inf                   |  2 +
+ .../PeiMemEncryptSevLib.inf                   |  2 +
+ .../SecMemEncryptSevLib.inf                   |  2 +
+ .../PeiMemEncryptSevLibInternal.c             | 50 +++++++++++++++-
+ .../SecMemEncryptSevLibInternal.c             | 58 ++++++++++++++++++-
+ 5 files changed, 110 insertions(+), 4 deletions(-)
+
+diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
+index f2e162d68076..ca3d82ef93bf 100644
+--- a/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
++++ b/OvmfPkg/Library/BaseMemEncryptSevLib/DxeMemEncryptSevLib.inf
+@@ -54,4 +54,6 @@ [FeaturePcd]
+   gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
+ 
+ [Pcd]
++  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
+   gEfiMdeModulePkgTokenSpaceGuid.PcdPteMemoryEncryptionAddressOrMask
++  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
+diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
+index 03a78c32df28..2f27b5569d7a 100644
+--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
++++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLib.inf
+@@ -54,4 +54,6 @@ [FeaturePcd]
+   gUefiOvmfPkgTokenSpaceGuid.PcdSmmSmramRequire
+ 
+ [FixedPcd]
++  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
+   gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
++  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
+diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
+index 279c38bfbc2c..36c4f906d554 100644
+--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
++++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLib.inf
+@@ -48,4 +48,6 @@ [LibraryClasses]
+   PcdLib
+ 
+ [FixedPcd]
++  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfWorkAreaBase
+   gUefiCpuPkgTokenSpaceGuid.PcdSevEsWorkAreaBase
++  gUefiOvmfPkgTokenSpaceGuid.PcdOvmfConfidentialComputingWorkAreaHeader
+diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
+index e2fd109d120f..c61bee4c4779 100644
+--- a/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
++++ b/OvmfPkg/Library/BaseMemEncryptSevLib/PeiMemEncryptSevLibInternal.c
+@@ -24,6 +24,52 @@ STATIC BOOLEAN mSevStatusChecked = FALSE;
+ STATIC UINT64  mSevEncryptionMask = 0;
+ STATIC BOOLEAN mSevEncryptionMaskSaved = FALSE;
+ 
++/**
++ Determine if the SEV is active.
++
++ During the early booting, GuestType is set in the work area. Verify that it
++ is an SEV guest.
++
++ @retval TRUE   SEV is enabled
++ @retval FALSE  SEV is not enabled
++
++ **/
++STATIC
++BOOLEAN
++IsSevGuest (
++  VOID
++  )
++{
++  OVMF_WORK_AREA  *WorkArea;
++
++  //
++  // Ensure that the size of the Confidential Computing work area header
++  // is same as what is provided through a fixed PCD.
++  //
++  ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeader) ==
++          sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER));
++
++  WorkArea = (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase);
++
++  return ((WorkArea != NULL) && (WorkArea->Header.GuestType == GUEST_TYPE_AMD_SEV));
++}
++
++STATIC
++SEC_SEV_ES_WORK_AREA *
++GetSevEsWorkArea (
++  VOID
++  )
++{
++  //
++  // Before accessing the Es workarea lets verify that its SEV guest
++  //
++  if (!IsSevGuest()) {
++    return NULL;
++  }
++
++  return (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
++}
++
+ /**
+   Reads and sets the status of SEV features.
+ 
+@@ -43,7 +89,7 @@ InternalMemEncryptSevStatus (
+ 
+   ReadSevMsr = FALSE;
+ 
+-  SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
++  SevEsWorkArea = GetSevEsWorkArea ();
+   if (SevEsWorkArea != NULL && SevEsWorkArea->EncryptionMask != 0) {
+     //
+     // The MSR has been read before, so it is safe to read it again and avoid
+@@ -139,7 +185,7 @@ MemEncryptSevGetEncryptionMask (
+   if (!mSevEncryptionMaskSaved) {
+     SEC_SEV_ES_WORK_AREA  *SevEsWorkArea;
+ 
+-    SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
++    SevEsWorkArea = GetSevEsWorkArea ();
+     if (SevEsWorkArea != NULL) {
+       mSevEncryptionMask = SevEsWorkArea->EncryptionMask;
+     } else {
+diff --git a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
+index 56d8f3f3183f..f906f0de1b6c 100644
+--- a/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
++++ b/OvmfPkg/Library/BaseMemEncryptSevLib/SecMemEncryptSevLibInternal.c
+@@ -17,6 +17,52 @@
+ #include <Register/Cpuid.h>
+ #include <Uefi/UefiBaseType.h>
+ 
++/**
++ Determine if the SEV is active.
++
++ During the early booting, GuestType is set in the work area. Verify that it
++ is an SEV guest.
++
++ @retval TRUE   SEV is enabled
++ @retval FALSE  SEV is not enabled
++
++ **/
++STATIC
++BOOLEAN
++IsSevGuest (
++  VOID
++  )
++{
++  OVMF_WORK_AREA  *WorkArea;
++
++  //
++  // Ensure that the size of the Confidential Computing work area header
++  // is same as what is provided through a fixed PCD.
++  //
++  ASSERT ((UINTN) FixedPcdGet32 (PcdOvmfConfidentialComputingWorkAreaHeader) ==
++          sizeof(CONFIDENTIAL_COMPUTING_WORK_AREA_HEADER));
++
++  WorkArea = (OVMF_WORK_AREA *) FixedPcdGet32 (PcdOvmfWorkAreaBase);
++
++  return ((WorkArea != NULL) && (WorkArea->Header.GuestType == GUEST_TYPE_AMD_SEV));
++}
++
++STATIC
++SEC_SEV_ES_WORK_AREA *
++GetSevEsWorkArea (
++  VOID
++  )
++{
++  //
++  // Before accessing the Es workarea lets verify that its SEV guest
++  //
++  if (!IsSevGuest()) {
++    return NULL;
++  }
++
++  return (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
++}
++
+ /**
+   Reads and sets the status of SEV features.
+ 
+@@ -35,7 +81,8 @@ InternalMemEncryptSevStatus (
+ 
+   ReadSevMsr = FALSE;
+ 
+-  SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
++
++  SevEsWorkArea = GetSevEsWorkArea ();
+   if (SevEsWorkArea != NULL && SevEsWorkArea->EncryptionMask != 0) {
+     //
+     // The MSR has been read before, so it is safe to read it again and avoid
+@@ -115,7 +162,14 @@ MemEncryptSevGetEncryptionMask (
+   SEC_SEV_ES_WORK_AREA              *SevEsWorkArea;
+   UINT64                            EncryptionMask;
+ 
+-  SevEsWorkArea = (SEC_SEV_ES_WORK_AREA *) FixedPcdGet32 (PcdSevEsWorkAreaBase);
++  //
++  // Before accessing the Es workarea lets verify that its SEV guest
++  //
++  if (!IsSevGuest()) {
++    return 0;
++  }
++
++  SevEsWorkArea = GetSevEsWorkArea ();
+   if (SevEsWorkArea != NULL) {
+     EncryptionMask = SevEsWorkArea->EncryptionMask;
+   } else {
+-- 
+2.33.1
+
diff --git a/edk2.spec b/edk2.spec
index e9ef8a5..a5e38f5 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -97,6 +97,7 @@ Patch0024: 0024-OvmfPkg-silence-EFI_D_VERBOSE-0x00400000-in-NvmExpre.patch
 Patch0025: 0025-CryptoPkg-OpensslLib-list-RHEL8-specific-OpenSSL-fil.patch
 Patch0026: 0026-OvmfPkg-QemuKernelLoaderFsDxe-suppress-error-on-no-k.patch
 Patch0027: 0027-SecurityPkg-Tcg2Dxe-suppress-error-on-no-swtpm-in-si.patch
+Patch0028: 0028-OvmfPkg-MemEncryptSevLib-Check-the-guest-type-before.patch
 
 # Fedora specific
 Patch1000: fedora-Tweak-the-tools_def-to-support-cross-compiling.patch