Does it mean that the response is only derived from the content of the SRAM in an uninitialized state?
For the raw RAM-PUF response, that's my understanding. How that is turned into a stable value (in practice identical across power-up cycles) is more complex, and requires long-term storage like conventional Flash for associated error-correction data (which at least in principle needs not be secret).
How can this be tamper-proof?
My understanding is that the implicit attack model here includes: the adversary has no physical access to the RAM, and can't remotely read it in its power-up state. Perhaps the early stages of boot read the initial state of the RAM, use that, then zero that RAM.
Update: as noted in comment, if we assume that getting access to the content of the RAM-PUF at power-up is impossible without de-caping the IC, and such de-caping alters the RAM-PUF beyond the error-correction capability of the associated error-correction data, then the RAM-PUF can become a tamper-resistant vault for a secret key. I have no information about if the above assumptions hold in practice (and welcome input on that).
Another attack model commonly considered for RAM-PUF is that the attacker only attempts to make a silicon-level exact copy, or steal ICs on the fabrication line (perhaps rejects). That adversary is unable to write in Flash the associated error-correction data which, together with the unique content of the RAM-PUF, makes the device operative. In this model, reading the initial content of the RAM won't help the adversary bound to not redesign the IC.
