writing this from the phone, so hardly will be helpful. but, first, the calling convention is specified in the spec the latter is described on the Microsoft site, see the link and second, personally, I believe they go before shadow space, since the shadow space is for the first parameters, (I was wrong, they go
after the shadow space) third, why you just don't check, crashing UEFI in VM is not that scary, I did that a hundred of times.
fourth, read the article below, it describes it fully. in conclusion, your second variant is correct.
here read, there are answers there.