Is the code that runs inside ARM TrustZone open source too? Especially ROM code.

The ARM Trusted Firmware is what typically runs in the secure world, and it is indeed open source: https://github.com/ARM-software/arm-trusted-firmware

ROM code generally speaking is not open source, but has been dumped on occasion.