One big, major problem with building your own box is this. Cut and copied from a discussion on Google+ about this article.
From Intel on UEFI to Sourceforge.net
The verification steps for images signed as described in section 1.4 are:
1. Authenticate the image’s format and structure.
2. If the image is unsigned: If its signature in in the authorized database (DB) and is not in the forbidden database (DBX), run the image, otherwise deny.
3. If the image is signed, check if its certificate has been authorized (for example, the image’s certificate is found in the KEK or the authorized database (DB), and is not in the forbidden database (DBX)). 1
If the image’s certificate is authorized, then unless the image’s signature is in the forbidden database (DBX), run the image
If the image’s certificate has not been authorized, then check its signature. If its signature is in the authorized database (DB) and is not in the forbidden database (DBX), run the image, otherwise deny running the image.
So it sounds like you could build a machine with signatures for every piece of firmware in DB, and then you'd be able to remove the microsoft keys from the KEK. But the simpler solution is probably going to be just to leave the MS keys where they are. If you don't run any microsoft code, then the chief danger that poses to you is that someone lifts their private key (unlikely) and even if they do the worst that happens is that you're back to pre-secure-boot security (not such a big deal, given it's doomed to failure anyway).