From 674fd094aa67b31d1d54b1f318adce8ed2faddd6 Mon Sep 17 00:00:00 2001
From: Flavio Ceolin <flavio@hubblenetwork.com>
Date: Tue, 8 Jul 2025 09:45:23 -0700
Subject: [PATCH] build: kconfig: Add support for warning insecure features

Add a new promptless Kconfig symbol (INSECURE). This symbols must
be selected by any setting which is used to enable an insecure
feature.

Signed-off-by: Flavio Ceolin <flavio@hubblenetwork.com>
---
 Kconfig.zephyr             |  6 ++++++
 scripts/kconfig/kconfig.py | 12 ++++++++++++
 share/sysbuild/Kconfig     |  6 ++++++
 3 files changed, 24 insertions(+)

diff --git a/Kconfig.zephyr b/Kconfig.zephyr
index 1e854ab5354..920da3f410f 100644
--- a/Kconfig.zephyr
+++ b/Kconfig.zephyr
@@ -1037,6 +1037,12 @@ config WARN_EXPERIMENTAL
 	  Print a warning when the Kconfig tree is parsed if any experimental
 	  features are enabled.
 
+config NOT_SECURE
+	bool
+	help
+	  Symbol to be selected by a feature to inidicate that feature is
+	  not secure.
+
 config TAINT
 	bool
 	help
diff --git a/scripts/kconfig/kconfig.py b/scripts/kconfig/kconfig.py
index feb0b447a88..74f8513138f 100755
--- a/scripts/kconfig/kconfig.py
+++ b/scripts/kconfig/kconfig.py
@@ -93,6 +93,8 @@ def main():
     if kconf.syms.get('WARN_EXPERIMENTAL', kconf.y).tri_value == 2:
         check_experimental(kconf)
 
+    check_not_secure(kconf)
+
     # Hack: Force all symbols to be evaluated, to catch warnings generated
     # during evaluation. Wait till the end to write the actual output files, so
     # that we don't generate any output if there are warnings-turned-errors.
@@ -266,6 +268,16 @@ def check_experimental(kconf):
             selector_name = split_expr(selector, AND)[0].name
             warn(f'Experimental symbol {selector_name} is enabled.')
 
+def check_not_secure(kconf):
+    not_secure = kconf.syms.get('NOT_SECURE')
+    dep_expr = kconf.n if not_secure is None else not_secure.rev_dep
+
+    if dep_expr is not kconf.n:
+        selectors = [s for s in split_expr(dep_expr, OR) if expr_value(s) == 2]
+        for selector in selectors:
+            selector_name = split_expr(selector, AND)[0].name
+            warn(f'Not secure symbol {selector_name} is enabled.')
+
 
 def promptless(sym):
     # Returns True if 'sym' has no prompt. Since the symbol might be defined in
diff --git a/share/sysbuild/Kconfig b/share/sysbuild/Kconfig
index e2076941380..5f689e07399 100644
--- a/share/sysbuild/Kconfig
+++ b/share/sysbuild/Kconfig
@@ -69,6 +69,12 @@ config WARN_DEPRECATED
 	  Print a warning when the Kconfig tree is parsed if any deprecated
 	  features are enabled.
 
+config NOT_SECURE
+	bool
+	help
+	  Symbol to be selected by a feature to inidicate that feature is
+	  not secure.
+
 rsource "images/Kconfig"
 
 menu "Build options"