diff --git a/1003-OvmfPkg-AmdSev-Support-full-disk-encryption-based-on.patch b/1003-OvmfPkg-AmdSev-Support-full-disk-encryption-based-on.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f40f9403bece6e0bb3bfa3f7ec1f07203f4b2de7
--- /dev/null
+++ b/1003-OvmfPkg-AmdSev-Support-full-disk-encryption-based-on.patch
@@ -0,0 +1,124 @@
+From a071f7068ae2887a663c351905567a8f7940b313 Mon Sep 17 00:00:00 2001
+From: hanliyang <hanliyang@hygon.cn>
+Date: Fri, 2 Aug 2024 02:06:58 +0800
+Subject: [PATCH] OvmfPkg/AmdSev: Support full-disk encryption based on Grub
+ efisecret mod
+
+When we place grub FV package into OVMF.fd to support full-disk
+encryption, we need provide grub components as the build env.
+
+===
+Prerequisite:
+
+1. If the grub in your system has already support efisecret module, then
+you should run cmds as follows to support build OVMF.fd.
+  $ cd /usr
+  $ sudo tar --transform='s/^/grub\// -zcf grub.tar.gz lib/grub/
+  $ sudo mv grub.tar.gz /opt
+  $ cd /opt/
+  $ sudo tar -xzf grub.tar.gz
+
+2. If the grub in your system does not support efisecret module, then we
+can clone the grub repository and checkout to commit 578c95298 ("
+kern: Add lockdown support"), and backport the following patch series:
+  https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00257.html
+  https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00258.html
+  https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00259.html
+  https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00260.html
+After we have prepared for the grub codes, we should build it and
+install the grub components to /opt/grub. The steps is shown as below:
+  $ ./bootstrap
+  $ ./autogen.sh
+  $ ./configure --target=x86_64 --with-platform=efi -prefix=/grub
+  $ make -j$(getconf _NPROCESSORS_ONLN)
+  $ sudo make install DESTDIR=/opt/
+  $ cd /opt/
+  $ sudo tar -zcf grub.tar.gz grub
+
+Note: the grub.tar.gz metioned above will be used when enabling
+full-disk encryption in the guest.
+
+===
+Build OVMF.fd:
+
+When we build the OVMF.fd which support full-disk encryption, we should
+delete stale grub.efi in the source tree:
+  $ rm OvmfPkg/AmdSev/Grub/grub.efi
+And specify the dsc file:
+  $ OvmfPkg/build.sh ... -a X64 -p OvmfPkg/AmdSev/AmdSevX64.dsc ...
+
+Signed-off-by: hanliyang <hanliyang@hygon.cn>
+---
+ OvmfPkg/AmdSev/Grub/grub.cfg | 22 +++++++++++++++-------
+ OvmfPkg/AmdSev/Grub/grub.sh  |  4 ++--
+ 2 files changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/Grub/grub.cfg b/OvmfPkg/AmdSev/Grub/grub.cfg
+index 17be942..93eea0b 100644
+--- a/OvmfPkg/AmdSev/Grub/grub.cfg
++++ b/OvmfPkg/AmdSev/Grub/grub.cfg
+@@ -10,16 +10,12 @@
+ ##
+ 
+ echo "Entering grub config"
+-sevsecret
++cryptomount -s efisecret
+ if [ $? -ne 0 ]; then
+     echo "Failed to locate anything in the SEV secret area, prompting for password"
++    echo "OR"
++    echo "Failed to mount root securely, retrying with password prompt"
+     cryptomount -a
+-else
+-    cryptomount -s
+-    if [ $? -ne 0 ]; then
+-        echo "Failed to mount root securely, retrying with password prompt"
+-        cryptomount -a
+-    fi
+ fi
+ set root=
+ for f in (crypto*); do
+@@ -27,6 +23,18 @@ for f in (crypto*); do
+         set root=$f
+         set prefix=($root)/boot/grub
+         break;
++    elif [ -e $f/boot/grub2/grub.cfg ]; then
++        set root=$f
++        set prefix=($root)/boot/grub
++        break;
++    elif [ -e $f/grub/grub.cfg ]; then
++        set root=$f
++        set prefix=($root)/grub
++        break;
++    elif [ -e $f/grub2/grub.cfg ]; then
++        set root=$f
++        set prefix=($root)/grub2
++        break;
+     fi
+ done
+ if [ x$root = x ]; then
+diff --git a/OvmfPkg/AmdSev/Grub/grub.sh b/OvmfPkg/AmdSev/Grub/grub.sh
+index 99807d7..c8e57a1 100644
+--- a/OvmfPkg/AmdSev/Grub/grub.sh
++++ b/OvmfPkg/AmdSev/Grub/grub.sh
+@@ -42,9 +42,8 @@ GRUB_MODULES="
+             test
+             regexp
+             linux
+-            linuxefi
+             reboot
+-            sevsecret
++            efisecret
+             "
+ basedir=$(dirname -- "$0")
+ 
+@@ -85,6 +84,7 @@ mcopy -i "${basedir}/disk.fat" -- "${basedir}/grub.cfg" ::grub.cfg
+ ${mkimage} -O x86_64-efi \
+            -p '(crypto0)' \
+            -c "${basedir}/grub-bootstrap.cfg" \
++           -d "/opt/grub/lib/grub/x86_64-efi" \
+            -m "${basedir}/disk.fat" \
+            -o "${basedir}/grub.efi" \
+            ${GRUB_MODULES}
+-- 
+2.41.0
+
diff --git a/edk2.spec b/edk2.spec
index 50405ed7d8aa92e6b5feaab94b2f9c690d356621..2910aab20861ff72cc1471a61b7ec7e4c81612ea 100644
--- a/edk2.spec
+++ b/edk2.spec
@@ -1,4 +1,4 @@
-%define anolis_release 8
+%define anolis_release 9
 
 %undefine _auto_set_build_flags
 ExclusiveArch: x86_64 aarch64 loongarch64
@@ -93,6 +93,8 @@ Patch0021: 0021-OvmfPkg-IoMmuDxe-Implement-SetAttribute-of-CsvIoMmu.patch
 Patch1001: 1001-Bugfix-for-CVE-2023-45237.patch
 Patch1002: 1002-Bugfix-for-CVE-2023-45236.patch 
 
+Patch1003: 1003-OvmfPkg-AmdSev-Support-full-disk-encryption-based-on.patch
+
 BuildRequires:  python3-devel
 BuildRequires:  libuuid-devel
 %ifnarch loongarch64
@@ -497,6 +499,9 @@ install -m 0644 \
 
 
 %changelog
+* Wed Jan 01 2025 hanliyang <hanliyang@hygon.cn> - 202402-9
+- Support build OVMF.fd based on full-disk encryption
+
 * Tue Nov 26 2024 Xiaotian Wu <wuxiaotian@loongson.cn> - 202402-8
 - Update LoongArch virtual machine to fix fdt parse error