Be that as it may, my point then and now is that having measured
(hashed) the earliest code, you will need to have the data that you
compare it to, in storage that is accessible by the program doing the
comparing. You measure the code, compare the measurement to the stored
equivalent, and release a key to allow you to take the next step.
All this, even before you have access to disk.
Unfortunately, use of the TPM goes beyond that early boot axis integrity
checking aspect - extending into OS and "Application"
integrity/licensing DRM crap and possible tagging.