feat(gateway): add KNX Data Secure support and related configurations

Signed-off-by: Tony <tonylu@tony-cloud.com>

apps/gateway/main/Kconfig.projbuild

@@ -621,6 +621,41 @@ config GATEWAY_START_KNX_BRIDGE_ENABLED
         Starts the KNXnet/IP tunneling/multicast listener at boot. Disabled by
         default so UDP port 3671 is opened only after provisioning or explicit start.
 
+config GATEWAY_KNX_DATA_SECURE_SUPPORTED
+    bool "Enable KNX Data Secure support"
+    depends on GATEWAY_KNX_BRIDGE_SUPPORTED
+    default n
+    help
+        Compiles the OpenKNX SecurityInterfaceObject and SecureApplicationLayer
+        into the ETS runtime. This is the application-layer security path used
+        for secure KNX group-object and ETS tool traffic.
+
+config GATEWAY_KNX_IP_SECURE_SUPPORTED
+    bool "Enable KNXnet/IP Secure support"
+    depends on GATEWAY_KNX_BRIDGE_SUPPORTED
+    default n
+    help
+        Builds gateway support for KNXnet/IP Secure tunneling and routing. The
+        secure session transport is implemented by the gateway-owned KNX/IP
+        router and is separate from KNX Data Secure APDU handling.
+
+config GATEWAY_KNX_SECURITY_DEV_ENDPOINTS
+    bool "Enable KNX security development HTTP endpoints"
+    depends on GATEWAY_KNX_DATA_SECURE_SUPPORTED || GATEWAY_KNX_IP_SECURE_SUPPORTED
+    default n
+    help
+        Exposes development-only HTTP actions for reading, writing, generating,
+        and resetting KNX security material. Disable this for production builds.
+
+config GATEWAY_KNX_SECURITY_PLAIN_NVS
+    bool "Store KNX security material in plain NVS"
+    depends on GATEWAY_KNX_DATA_SECURE_SUPPORTED || GATEWAY_KNX_IP_SECURE_SUPPORTED
+    default y
+    help
+        Stores development KNX security material in normal NVS. This is useful
+        during bring-up, but production builds should replace it with encrypted
+        NVS, flash encryption, and secure boot before exposing real keys.
+
 config GATEWAY_KNX_MAIN_GROUP
     int "KNX DALI main group"
     depends on GATEWAY_KNX_BRIDGE_SUPPORTED

apps/gateway/sdkconfig

@@ -688,6 +688,10 @@ CONFIG_GATEWAY_BACNET_BRIDGE_SUPPORTED=y
 # CONFIG_GATEWAY_START_BACNET_BRIDGE_ENABLED is not set
 CONFIG_GATEWAY_KNX_BRIDGE_SUPPORTED=y
 CONFIG_GATEWAY_START_KNX_BRIDGE_ENABLED=y
+CONFIG_GATEWAY_KNX_DATA_SECURE_SUPPORTED=y
+# CONFIG_GATEWAY_KNX_IP_SECURE_SUPPORTED is not set
+# CONFIG_GATEWAY_KNX_SECURITY_DEV_ENDPOINTS is not set
+CONFIG_GATEWAY_KNX_SECURITY_PLAIN_NVS=y
 CONFIG_GATEWAY_KNX_MAIN_GROUP=0
 CONFIG_GATEWAY_KNX_TUNNEL_ENABLED=y
 CONFIG_GATEWAY_KNX_MULTICAST_ENABLED=y

apps/gateway/sdkconfig.defaults

@@ -15,4 +15,5 @@ CONFIG_ETH_USE_SPI_ETHERNET=y
 CONFIG_ETH_SPI_ETHERNET_W5500=y
 CONFIG_GATEWAY_ETHERNET_SUPPORTED=y
 CONFIG_GATEWAY_START_ETHERNET_ENABLED=y
-CONFIG_GATEWAY_ETHERNET_IGNORE_INIT_FAILURE=y
+CONFIG_GATEWAY_ETHERNET_IGNORE_INIT_FAILURE=y
+CONFIG_GATEWAY_KNX_DATA_SECURE_SUPPORTED=y