From: Aurelien DESBRIERES <aurelien@hackers.camp>
To: Pedro Falcato <pfalcato@suse.de>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
viro@zeniv.linux.org.uk, brauner@kernel.org
Subject: Re: [RFC PATCH 0/10] ftrfs: Fault-Tolerant Radiation-Robust Filesystem
Date: Tue, 14 Apr 2026 15:30:36 +0200 [thread overview]
Message-ID: <1776173436.199615.8794.nullmailer@me> (raw)
In-Reply-To: <fkf75lk2sm2nfych34jiyoeqfctwkirzo22coqsad72yeau7ht@mh36h7nercwh>
On Mon, Apr 13, 2026 at 03:04:11PM +0000, Pedro Falcato wrote:
> Well, here's the obvious question: do you have a usecase for this?
The target is embedded Linux systems in radiation-intensive environments
where single-event upsets (SEU) cause silent bit flips in data at rest.
Specifically: nanosatellites using MRAM or NOR flash as primary storage,
with no block layer redundancy (no RAID, no mirroring, single device).
The concrete use case is derived from the MOVE-II CubeSat mission at
TU Munich (Fuchs, Langer, Trinitis — ARCS 2015). The paper documents
measured SEU rates on commercial MRAM in LEO and shows that RS FEC at
the filesystem level is the only mechanism that can recover corrupted
data in place on a single-device system without external redundancy.
The implementation is validated in a real arm64 HPC cluster (Slurm
25.11.4, Yocto Styhead 5.1, kernel 7.0) as a proof of concept for
space-grade embedded Linux deployments:
https://github.com/roastercode/yocto-hardened/tree/arm64-ftrfs
> Well, as far as I can see, there's no write path, no read path (no
> address_space_operations as far as I can see), no rename. Did you
> test this?
v1 was an RFC skeleton. These were addressed in subsequent versions:
- v2: address_space_operations, write path, inode lifecycle fixes
- v3: iomap IO path (replacing buffer_head, per Matthew Wilcox),
rename, RS FEC decoder, Radiation Event Journal
- v3: xfstests generic/001, 002, 010 equivalent validated on
qemuarm64 kernel 7.0
> The layout itself is super unix-filesystem/ext2 reminiscent, so if
> something like this is really needed, I would strongly recommend you
> perhaps add this there. One feature (crc32c checksums over several
> metadata structures) already exists on ext4.
ext4 checksums detect corruption but do not correct it. fsverity
detects tampering on read-only data but does not correct it. Neither
provides in-place RS FEC correction on a single-device system.
The certification constraint is also a hard requirement for the target
environment: DO-178C (avionics), ECSS-E-ST-40C (space), and IEC 61508
(nuclear/industrial) require complete code auditability. ext4 at ~100k
lines cannot realistically be certified under these frameworks.
FTRFS targets under 5000 lines of auditable code.
Aurelien DESBRIERES <aurelien@hackers.camp>
next prev parent reply other threads:[~2026-04-14 12:07 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 14:23 [RFC PATCH 0/10] ftrfs: Fault-Tolerant Radiation-Robust Filesystem Aurelien DESBRIERES
2026-04-13 14:23 ` [RFC PATCH 01/10] ftrfs: add on-disk format and in-memory data structures Aurelien DESBRIERES
2026-04-13 15:11 ` Darrick J. Wong
2026-04-13 17:26 ` Aurelien DESBRIERES
2026-04-13 14:23 ` [RFC PATCH 02/10] ftrfs: add superblock operations Aurelien DESBRIERES
2026-04-13 14:23 ` [RFC PATCH 03/10] ftrfs: add inode operations Aurelien DESBRIERES
2026-04-13 14:23 ` [RFC PATCH 04/10] ftrfs: add directory operations Aurelien DESBRIERES
2026-04-13 14:23 ` [RFC PATCH 05/10] ftrfs: add file operations Aurelien DESBRIERES
2026-04-13 15:09 ` Matthew Wilcox
[not found] ` <CAM=40tU5NppEZ9x07qDVkSxLw6Ga4nVg7sDCqcvhfQ51VbsS9Q@mail.gmail.com>
2026-04-13 17:41 ` Matthew Wilcox
2026-04-13 14:23 ` [RFC PATCH 06/10] ftrfs: add block and inode allocator Aurelien DESBRIERES
2026-04-13 15:21 ` Darrick J. Wong
2026-04-14 14:11 ` Aurelien DESBRIERES
2026-04-13 14:23 ` [RFC PATCH 07/10] ftrfs: add filename and directory entry operations Aurelien DESBRIERES
2026-04-13 14:23 ` [RFC PATCH 08/10] ftrfs: add CRC32 checksumming and Reed-Solomon FEC skeleton Aurelien DESBRIERES
2026-04-13 14:23 ` [RFC PATCH 09/10] ftrfs: add Kconfig, Makefile and fs/ tree integration Aurelien DESBRIERES
2026-04-13 14:23 ` [RFC PATCH 10/10] MAINTAINERS: add entry for FTRFS filesystem Aurelien DESBRIERES
2026-04-13 15:04 ` [RFC PATCH 0/10] ftrfs: Fault-Tolerant Radiation-Robust Filesystem Pedro Falcato
2026-04-13 18:03 ` Andreas Dilger
2026-04-14 2:56 ` Gao Xiang
2026-04-14 14:11 ` Aurelien DESBRIERES
2026-04-14 13:30 ` Aurelien DESBRIERES [this message]
2026-04-13 15:06 ` Matthew Wilcox
2026-04-13 18:11 ` Darrick J. Wong
2026-04-14 14:11 ` Aurelien DESBRIERES
2026-04-14 13:31 ` Aurelien DESBRIERES
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1776173436.199615.8794.nullmailer@me \
--to=aurelien@hackers.camp \
--cc=brauner@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pfalcato@suse.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox