What exactly enforces secure boot on the iMac Pro?

macos security imac-pro

The T2 enforces secure boot. At the highest level on all Macs before the iMac Pro - High Sierra and the OS runs on the main CPU so there is no separation of power to check that the CPU / code is executing properly (or even that the parts of the OS Apple wants to protect is signed / verified with a checksum type calculation).

The T2 has it's own operating system and performs all storage operations so it's perfectly placed to enforce code signing / kernel extensions / system integrity protection.

Some additional details on this technically are presented below:

In essence, it’s a two-stage process, first driven by the T2, then driven by the more traditional system boot process.

https://www.macworld.com/article/3245764/macs/the-t2-chip-makes-the-imac-pro-the-start-of-a-mac-revolution.html#toc-4

Startup Security Utility configures the operation of the T2, so that when Full Security is enabled…

  1. The boot.efi bootloader is copied from the selected macOS in /System/Library/CoreServices/boot.efi to the PreBoot APFS partition in /usr/standalone/i386/boot.efi.
  2. The efi-boot-device variable in EFI is set to the path to the copied boot.efi.

https://twocanoes.com/secureboot-imac-pro/

The T2 is the first step of any boot thereafter:

Once the Mac is rebooted, the signature on the boot.efi specified in NVRAM on the PreBoot partition is verified.

https://twocanoes.com/secureboot-imac-pro/

When you start up the iMac Pro, the familiar Apple logo appears almost immediately. This is a sign that the T2 is taking control. For security reasons, the T2 is the iMac Pro hardware’s “root of trust,” and it validates the entire boot process when the power comes on. The T2 starts up, checks things out, loads its bootloader, verifies that it’s legitimate and cryptographically signed by Apple, and then moves on to the next part of the boot process.

https://www.macworld.com/article/3245764/macs/the-t2-chip-makes-the-imac-pro-the-start-of-a-mac-revolution.html#toc-4

Once the T2 is happy, EFI continues as usual:

If the bootloader signature check succeeds, then control is passed to the boot.efi and the Mac boots normally.

https://twocanoes.com/secureboot-imac-pro/

Related

Is a Sparse Bundle image or Sparse Image better for many files 3 TB external hard drive 4TB?
How to terminate connections to shared PCs?
You can’t open the application “iTunes” because it is being updated
Black rectangle appears on display
Trying to close open port 5900 or find process that opened it
Why is Convert to APFS Failing?
Stop sharing pictures to another device
Linux Mint VM crashes when MacOS sleeps?
Message: This Apple ID has not yet been used with the app store
Is it possible to enable key repeat for letter keys on the Apple Smart Keyboard for iPad Pro?
AirDrop Not Working When Signed Into iCloud
Garageband still taking up space in High Sierra