diff --git a/OvmfPkg/PlatformPei/AmdSev.c b/OvmfPkg/PlatformPei/AmdSev.c
index 1509f260fb..2e14eaf8c3 100644
--- a/OvmfPkg/PlatformPei/AmdSev.c
+++ b/OvmfPkg/PlatformPei/AmdSev.c
@@ -16,6 +16,7 @@
 // The package level header files this module uses
 //
 #include <Library/DebugLib.h>
+#include <Library/HobLib.h>
 #include <Library/MemEncryptSevLib.h>
 #include <Library/PcdLib.h>
 #include <PiPei.h>
@@ -66,4 +67,32 @@ AmdSevInitialize (
   //
   PcdStatus = PcdSet32S (PcdOptionRomImageVerificationPolicy, 0x4);
   ASSERT_RETURN_ERROR (PcdStatus);
+
+  //
+  // When SMM is required, cover the pages containing the initial SMRAM Save
+  // State Map with a memory allocation HOB:
+  //
+  // There's going to be a time interval between our decrypting those pages for
+  // SMBASE relocation and re-encrypting the same pages after SMBASE
+  // relocation. We shall ensure that the DXE phase stay away from those pages
+  // until after re-encryption, in order to prevent an information leak to the
+  // hypervisor.
+  //
+  if (FeaturePcdGet (PcdSmmSmramRequire) && (mBootMode != BOOT_ON_S3_RESUME)) {
+    RETURN_STATUS LocateMapStatus;
+    UINTN         MapPagesBase;
+    UINTN         MapPagesCount;
+
+    LocateMapStatus = MemEncryptSevLocateInitialSmramSaveStateMapPages (
+                        &MapPagesBase,
+                        &MapPagesCount
+                        );
+    ASSERT_RETURN_ERROR (LocateMapStatus);
+
+    BuildMemoryAllocationHob (
+      MapPagesBase,                      // BaseAddress
+      EFI_PAGES_TO_SIZE (MapPagesCount), // Length
+      EfiBootServicesData                // MemoryType
+      );
+  }
 }