Correct. The TPM is a little chip on the motherboard that can do cryptography. The usual way it's used is that it's configured to read in and hash every piece of code run in the boot process (starting with the TPM itself reading the BIOS code, then the BIOS passing option ROMs and the boot sector, then the boot sector passing on anything it loads). At this point the TPM has a "measurement" of the boot process; a salted hash of all code that runs with some secret burned into the TPM itself.
The TPM has the ability to "seal" or "unseal" an encryption key (just another level of encryption) based on the measurements. So you can use it for full-disk encryption, by sealing your encryption key against the measurement of the boot proess. If the boot process changes (e.g. there's a boot sector virus), or you move the disk to a machine with a different TPM, you can no longer unseal the key to the disk, because you don't have matching measuments any more. You can also use it for remote attestation, by having a network server send the OS a challenge that it gets the TPM to respond to, where the response can only be constructed if the measurements match.
One thing you'll note that the TPM does not have the ability to do is to _stop_ code from executing. It sits there quietly watching what code is executed. It can refuse to provide the encryption key, but it can't, for instance, prevent a malicious boot loader from playing a fake Windows boot animation, popping up a login screen, sending the password somewhere, removing itself, and bluescreening. User data is protected, but even so, it's a lot easier to mount attacks since the attacker has code running on your machine.
The other thing about Secure Boot is that it's possible to implement it just within the existing boot firmware, without requiring a separate processor for doing crypto. Yes, you could imagine the TPM having signature verification capabilities, but it's better to put it on the firmware that already ships with every machine, instead of requiring additional hardware on all machines.