This is not how anything works.
The TPM receives measurements from the firmware. The firmware measures itself, see which version it is, what is its loading, etc and report that to the TPM. The TPM releases the secret if the measurements match. The TPM does not do any measurements itself. It is a passive chip. The research paper you linked says as much. This is even in the specs. There is no point speculating about a capability that the TPMs are known to not have.
The threat here is that a malicious actor will flash malicious firmware into the EEPROM, which will lie to the TPM. The firmware you originally have is assumed to be trusted in the threat model.
If an attacker has access to your device, and it does not have Boot Guard, they can just flash malicious firmware that will just submit false measurements to the TPM. The malicious firmware doesn’t need to pull any value from any random source. It just needs to lie. And Heads cannot protect against this.
On a normal set up, you have Boot Guard which has the signature of the OEM fused into the PCH. If an attacker tampers with the boot block which is protected by Boot Guard, the CPU will notice that the OEM doesn’t have the signature of the vendor and refuse to boot. It doesn’t even need to get to the measurement part to get caught. The measurements with PCR0, 1, 2, etc are to make sure that the firmware version has not changed (like in the case of a downgrade attack), that the firmware settings which are not protected by Boot Guard has not changed, etc. This is the defense against an attacker who will try to compromise you with a programmer.