[nrf fromtree] build: kconfig: Add support for warning insecure features

ceolin · rado17 · commit 882d7e224d8a · 2025-07-17T12:19:14.000+05:30
Add a new promptless Kconfig symbol (INSECURE). This symbols must be selected by any setting which is used to enable an insecure feature. Signed-off-by: Flavio Ceolin <flavio@hubblenetwork.com> (cherry picked from commit 674fd09)
diff --git a/Kconfig.zephyr b/Kconfig.zephyr
@@ -1030,6 +1030,12 @@ config WARN_EXPERIMENTAL
 	  Print a warning when the Kconfig tree is parsed if any experimental
 	  features are enabled.
 
+config NOT_SECURE
+	bool
+	help
+	  Symbol to be selected by a feature to inidicate that feature is
+	  not secure.
+
 config TAINT
 	bool
 	help
diff --git a/scripts/kconfig/kconfig.py b/scripts/kconfig/kconfig.py
@@ -93,6 +93,8 @@ def main():
     if kconf.syms.get('WARN_EXPERIMENTAL', kconf.y).tri_value == 2:
         check_experimental(kconf)
 
+    check_not_secure(kconf)
+
     # Hack: Force all symbols to be evaluated, to catch warnings generated
     # during evaluation. Wait till the end to write the actual output files, so
     # that we don't generate any output if there are warnings-turned-errors.
@@ -266,6 +268,16 @@ def check_experimental(kconf):
             selector_name = split_expr(selector, AND)[0].name
             warn(f'Experimental symbol {selector_name} is enabled.')
 
+def check_not_secure(kconf):
+    not_secure = kconf.syms.get('NOT_SECURE')
+    dep_expr = kconf.n if not_secure is None else not_secure.rev_dep
+
+    if dep_expr is not kconf.n:
+        selectors = [s for s in split_expr(dep_expr, OR) if expr_value(s) == 2]
+        for selector in selectors:
+            selector_name = split_expr(selector, AND)[0].name
+            warn(f'Not secure symbol {selector_name} is enabled.')
+
 
 def promptless(sym):
     # Returns True if 'sym' has no prompt. Since the symbol might be defined in
diff --git a/share/sysbuild/Kconfig b/share/sysbuild/Kconfig
@@ -69,6 +69,12 @@ config WARN_DEPRECATED
 	  Print a warning when the Kconfig tree is parsed if any deprecated
 	  features are enabled.
 
+config NOT_SECURE
+	bool
+	help
+	  Symbol to be selected by a feature to inidicate that feature is
+	  not secure.
+
 rsource "images/Kconfig"
 
 menu "Build options"
