I am doing some testing on the iMac Pro SecureBoot, and did some network traces:

Normal Boot (kernel booting starts at packet 10):


Notes: It doesn’t look like there are any certificate (OCSP or CRL) verification checks done.

Boot to recovery partition:


Notes: No obvious certificate validation. Checks to albert.apple.com and 2 hosts at domain symcb.com (which appears to be Symantec).

Boot to Boot Picker screen:


Notes: Not a log of activity and no DNS lookups, but lots of DHCP request that could be looking for a NetBoot Server.

In recovery partition, select startup disk and click the restart button:


Notes: This appears to be where the certificate validation list is updated.  Requests to an OCSP and CRL servers. Also, requests to e6858.dsce9.akamaiedge.net.