It verifies most or all of SPI flash content through all the stages up to kexecing into the QubesOS boot process; it also verifies the LUKS header and the most important files in /boot. All of these measurements are sent to the TPM and if they match then the TPM will unseal the OTP secret and generate the correct code to be verified by you with TOTP (e.g. authenticator app on phone) or HOTP (e.g. security dongle).
There is also an experimental feature to verify important dom0 files after unlocking the LUKS volume, but before doing a full OS boot (still very experimental, however).
It also allows you to have the TPM unseal the LUKS key via an alternate password, which in effect would only be valid on that machine and will not be released if the recovery shell was used. This would mitigate password compromise via shouldersurfing (e.g. hidden camera) as long as the attacker didn’t switch out the mainboard.
There’s lots more to be said about Heads; you can search for posts by Insurgo on this forum or check the website as well as their GitHub.
I’m using NitroKey’s NV41, so it’s a laptop you can by with pre-installed Heads and QubesOS. Novacustom now also offers that laptop with pre-installed Heads and QubesOS AFAIU.
Very cool stuff, I love it, but unfortunately:
Oh. I’m on a desktop PC, which probably means our hardware is very different and will require insane effort to port: A Dream Come True: Running Coreboot On A Modern, Retail Desktop Motherboard - Phoronix
I guess I might just have no other option than “USB/writeprotect BIOS” 
(again unless I can freely switch between TPM1.2 and 2.0 without exploding all my PCRs and making AEM panic)
https://www.reddit.com/r/coreboot/comments/gpqpa0/recommended_motherboard_to_build_x86_desktop_pc/
https://www.reddit.com/r/coreboot/comments/18p3s25/options_for_a_desktop_pc_with_coreboot/
It seems coreboot on desktops works (in some cases)…but it would be a bit of a journey for you to learn all about it and try to build it for your motherboard (if possible). This is beyond me though, I’m just a happy clam who has purchased the finished product 
Yeah I thought coreboot compatibility became universal overnight when I read your message, LOL. Unfortunately that is not the case.
I also forgot to say that I experience excessive SSD wear with Qubes (190GB in 3 days?!?) and that is also a factor why I probably won’t daily drive it
Edit: I did the usual disabling swap and stuff and that slowed it down a bit but I still get a ton of writes