[PATCH v2 00/11] ftrfs: Fault-Tolerant Radiation-Robust Filesystem

[Aurelien DESBRIERES]

FTRFS is an out-of-tree Linux filesystem designed for embedded systems
operating in radiation-intensive environments. It provides per-block
CRC32 checksumming and a Reed-Solomon FEC encoder (decoder planned for
v3) for in-place correction of silent data corruption caused by
single-event upsets (SEU).

FTRFS does not compete with ext4 for general-purpose use. The target
is embedded critical systems where DO-178C (avionics), ECSS-E-ST-40C
(space), or IEC 61508 (nuclear) certification is a hard requirement.
These standards require complete code auditability. No existing Linux
filesystem can realistically be certified under these frameworks due to
code complexity. FTRFS is designed to stay under 5000 lines of auditable
code with RS FEC as a first-class design constraint.

Changes since v1:
- Implement address_space_operations (Matthew Wilcox)
  ftrfs_get_block now allocates blocks (create=1), returns -EIO for
  holes on read. Set bh_result->b_size correctly.
  Add ftrfs_write_begin, ftrfs_write_end, ftrfs_readahead, ftrfs_bmap,
  dirty_folio, invalidate_folio.
- Fix inode lifecycle: use insert_inode_locked() instead of
  insert_inode_hash(). new_inode() does not set I_NEW.
  Move unlock_new_inode() to callers after d_instantiate().
- On-disk format: inode 128 -> 256 bytes, uid/gid __le16 -> __le32,
  add i_tindirect (~512 GiB), remove i_blocks, BUILD_BUG_ON enforces
  structure sizes at compile time.
- Directory: skip . and .. in readdir data blocks (dir_emit_dots).
- Add ftrfs_inode_is_new compat macro for inode_state_read_once API.
- i_size __le64 is intentional: future-proof for growing MRAM densities.
  The real limit is the block pointer scheme (~512 GiB with tindirect).
  BUILD_BUG_ON documents the structure sizes explicitly (Darrick J. Wong).

Known gaps to be addressed in v3:
- IO path: migrate from buffer_head to iomap (Matthew Wilcox)
- rename: not yet implemented
- xfstests: no test run yet
- RS FEC decoder: encoder present, decoder skeleton only

Tested on arm64 kernel 7.0-rc7 (Yocto KVM, Slurm HPC cluster):
  mount, write, mkdir, read: functional
  0 BUG/WARN/Oops in dmesg

Yocto integration: https://github.com/roastercode/yocto-hardened/tree/arm64-ftrfs
RFC paper: https://doi.org/10.1007/978-3-319-16086-3_8

Aurelien DESBRIERES (11):
  ftrfs: add on-disk format and in-memory data structures
  ftrfs: add superblock operations
  ftrfs: add inode operations
  ftrfs: add directory operations
  ftrfs: add file operations
  ftrfs: add block and inode allocator
  ftrfs: add filename and directory entry operations
  ftrfs: add CRC32 checksumming and Reed-Solomon FEC skeleton
  ftrfs: add Kconfig, Makefile and fs/ tree integration
  MAINTAINERS: add entry for FTRFS filesystem
  ftrfs: v2 fixes — write path, inode lifecycle, on-disk format

 MAINTAINERS            |   6 +
 fs/ftrfs/Kconfig       |  18 ++
 fs/ftrfs/Makefile      |   9 +
 fs/ftrfs/alloc.c       | 251 ++++++++++++++++++
 fs/ftrfs/dir.c         | 126 +++++++++
 fs/ftrfs/edac.c        |  84 ++++++
 fs/ftrfs/file.c        | 110 ++++++++
 fs/ftrfs/ftrfs.h       | 168 ++++++++++++
 fs/ftrfs/inode.c       | 103 ++++++++
 fs/ftrfs/namei.c       | 428 +++++++++++++++++++++++++++++++
 fs/ftrfs/super.c       | 276 ++++++++++++++++++++
 11 files changed, 1579 insertions(+)

-- 
2.49.0