Entanglement with MCUboot imgtool: TFM wrapper.py uses imagetool source as library, which it is not, causing entanglement in CI

[de-nordic]

Problem manifestation

MCUboot relies on TF-M for FIH testing, and TF-M on MCUboot imgtool source to implement wrappery.py, which means that any changes in API, that is imgtool internal API, may cause FIH tests to fail on our CI, even though nothing FIH related has been touched.
This is entanglement that makes it impossible to modify non-public parts of MCUboot support scripts without providing changes to TF-M.

Problem details

Imgtool is not a library it is a command line tool with interface defined by its command line parametersnot internal API.

Wrapper script imports imgtool script and directly uses it to implement own functionality over it:

trusted-firmware-m/bl2/ext/mcuboot/scripts/wrapper.py

Lines 15 to 21 in 8f614dd

	# Add the cwd to the path so that if there is a version of imgtool in there then
	# it gets used over the system imgtool. Used so that imgtool from upstream
	# mcuboot is preferred over system imgtool
	cwd = os.getcwd()
	sys.path = [cwd] + sys.path
	import imgtool
	import imgtool.main

and

trusted-firmware-m/bl2/ext/mcuboot/scripts/wrapper.py

Line 121 in 8f614dd

img = imgtool.image.Image(version=imgtool.version.decode_version(version),

Imgtool is not library, it's internal API is not public and is not supposed to be used separately.

MCUboot depends on TF-M for testing FIH, while we are supposed to adapt to changes to TF-M, due to using your stuff for our purpose, this two-way entanglement makes it impossible for us to change code we are responsible for, once again: non-public API, without getting involved with this project too.