It's not clear to me how the iMac Pro enforces secure boot chain – specifically if this performed by the x86 processor, EFI firmware, the T2 or a combination of some or all of the above?
IMac – What exactly enforces secure boot on the iMac Pro
imac-promacosSecurity
Related Question
- MacOS – Cannot access vital boot options on Mac Pro with OS X Lion
- IMac – How to boot an Intel Core i7 iMac in 64-bit mode
- MacOS – unable to boot the iMac
- MacOS – Mac Pro keeps rebooting when installing Win7 on Mac Pro using EFI Boot/GPT drive
- iMac Pro – Optical Audio Input Options
- IMac – Possible to use iMac Pro as a monitor for a variety of devices
- IMac – Memory upgrade options for iMac Pro
- Recover Mac Startup Security Utility – Step-by-Step Guide
Best Answer
The T2 enforces secure boot. At the highest level on all Macs before the iMac Pro - High Sierra and the OS runs on the main CPU so there is no separation of power to check that the CPU / code is executing properly (or even that the parts of the OS Apple wants to protect is signed / verified with a checksum type calculation).
The T2 has it's own operating system and performs all storage operations so it's perfectly placed to enforce code signing / kernel extensions / system integrity protection.
Some additional details on this technically are presented below:
https://www.macworld.com/article/3245764/macs/the-t2-chip-makes-the-imac-pro-the-start-of-a-mac-revolution.html#toc-4
Startup Security Utility configures the operation of the T2, so that when Full Security is enabled…
https://twocanoes.com/secureboot-imac-pro/
The T2 is the first step of any boot thereafter:
https://twocanoes.com/secureboot-imac-pro/
https://www.macworld.com/article/3245764/macs/the-t2-chip-makes-the-imac-pro-the-start-of-a-mac-revolution.html#toc-4
Once the T2 is happy, EFI continues as usual:
https://twocanoes.com/secureboot-imac-pro/