What exactly enforces secure boot on the iMac Pro?
The T2 enforces secure boot. At the highest level on all Macs before the iMac Pro - High Sierra and the OS runs on the main CPU so there is no separation of power to check that the CPU / code is executing properly (or even that the parts of the OS Apple wants to protect is signed / verified with a checksum type calculation).
The T2 has it's own operating system and performs all storage operations so it's perfectly placed to enforce code signing / kernel extensions / system integrity protection.
Some additional details on this technically are presented below:
In essence, it’s a two-stage process, first driven by the T2, then driven by the more traditional system boot process.
https://www.macworld.com/article/3245764/macs/the-t2-chip-makes-the-imac-pro-the-start-of-a-mac-revolution.html#toc-4
Startup Security Utility configures the operation of the T2, so that when Full Security is enabled…
- The boot.efi bootloader is copied from the selected macOS in /System/Library/CoreServices/boot.efi to the PreBoot APFS partition in /usr/standalone/i386/boot.efi.
- The efi-boot-device variable in EFI is set to the path to the copied boot.efi.
https://twocanoes.com/secureboot-imac-pro/
The T2 is the first step of any boot thereafter:
Once the Mac is rebooted, the signature on the boot.efi specified in NVRAM on the PreBoot partition is verified.
https://twocanoes.com/secureboot-imac-pro/
When you start up the iMac Pro, the familiar Apple logo appears almost immediately. This is a sign that the T2 is taking control. For security reasons, the T2 is the iMac Pro hardware’s “root of trust,” and it validates the entire boot process when the power comes on. The T2 starts up, checks things out, loads its bootloader, verifies that it’s legitimate and cryptographically signed by Apple, and then moves on to the next part of the boot process.
https://www.macworld.com/article/3245764/macs/the-t2-chip-makes-the-imac-pro-the-start-of-a-mac-revolution.html#toc-4
Once the T2 is happy, EFI continues as usual:
If the bootloader signature check succeeds, then control is passed to the boot.efi and the Mac boots normally.
https://twocanoes.com/secureboot-imac-pro/