That's a pretty involved question.
First of all: If it actually is ROM, it's tamper-proof. ROM is, electrically, read-only memory. It cannot be changed.
Now, it's perfectly possible that the TPM chip runs firmware that is, in fact, in writable memory.
There's lots of way that can be protected: For example, by only making the firmware memory accessible via command coming from the firmware itself – in that case, the firmware has the job to check whether a firmware update is to be accepted, eg. by checking the electronic signature of who's trying to update the firmware.
Loadable Firmware could also, by the ROM-resident bootloader, be checked e.g. for digital signatures matching the manufacturer key in a piece of ROM.
Other methods involve getting special signal lines from the CPU that are only high when the CPU is in SMM (system management mode, something that usually only the UEFI can enter).
What kind of ROM do TPMs normally use? One-time programmed,
or mask programmed so that it is impossible to change the contents after fabrication?
I can't even tell you whether it's actually ROM, as you can see above. It's an implementation detail, and I'm sure you can learn about the different approaches the manufacturers chose from their datasheet.
