Giving you an overview, howto replace UEFI!
UEFI is a black box with plenty of buggy C – written drivers (called DXE drivers) in it, nobody will ever fix.
Now you not only can replace many of them, but you can even write your own bootloader in e.g. Go. For that, you will have to compile Linux to run in RING 0 (around 800 KBytes) and after that you can put whatever into your RAMFS to start, getting back control over how your machine boots, what encryption is used … PXE e.g. still boots over unencrypted TFTP protocol – a NO-GO!