https://en.wikipedia.org/wiki/Trusted_Platform_Module Essentially some reboot code that the TPM trusts asks for your password. If that ROM-based code is untrustworthy (someone reflashed it), then your hard disk is a brick. Once you enter the correct password (short and simple numeric code), your disk is unlocked and can be used to boot the computer.
Being reboot protection makes all the difference for data-at-rest. Note that it provides no security once the computer is booted or if you leave it booted for someone else to grab.