I am doing some testing on the iMac Pro SecureBoot, and did some network traces:

Normal Boot (kernel booting starts at packet 10):

https://tcs-blog.s3.amazonaws.com/normal/normal_startup_trace.pcap.gz

Notes: It doesn’t look like there are any certificate (OCSP or CRL) verification checks done.

Boot to recovery partition:

http://tcs-blog.s3.amazonaws.com/boot%20to%20recovery/boot_to_recovery_trace.pcap.gz

Notes: No obvious certificate validation. Checks to albert.apple.com and 2 hosts at domain symcb.com (which appears to be Symantec).

Boot to Boot Picker screen:

https://tcs-blog.s3.amazonaws.com/boot%20picker/boot_picker_trace.pcap.gz

Notes: Not a log of activity and no DNS lookups, but lots of DHCP request that could be looking for a NetBoot Server.

In recovery partition, select startup disk and click the restart button:

https://tcs-blog.s3.amazonaws.com/recovery_select_startup_disk_and_click_restart/recovery_select_startup_disk_and_click_restart_trace.pcap.gz

Notes: This appears to be where the certificate validation list is updated.  Requests to an OCSP and CRL servers. Also, requests to e6858.dsce9.akamaiedge.net.