I am doing some testing on the iMac Pro SecureBoot, and did some network traces:
Normal Boot (kernel booting starts at packet 10):
https://tcs-blog.s3.amazonaws.com/normal/normal_startup_trace.pcap.gz
Notes: It doesn’t look like there are any certificate (OCSP or CRL) verification checks done.
Boot to recovery partition:
http://tcs-blog.s3.amazonaws.com/boot%20to%20recovery/boot_to_recovery_trace.pcap.gz
Notes: No obvious certificate validation. Checks to albert.apple.com and 2 hosts at domain symcb.com (which appears to be Symantec).
Boot to Boot Picker screen:
https://tcs-blog.s3.amazonaws.com/boot%20picker/boot_picker_trace.pcap.gz
Notes: Not a log of activity and no DNS lookups, but lots of DHCP request that could be looking for a NetBoot Server.
In recovery partition, select startup disk and click the restart button:
Notes: This appears to be where the certificate validation list is updated. Requests to an OCSP and CRL servers. Also, requests to e6858.dsce9.akamaiedge.net.