fatfs: Add erase disk to format

[geky]

Description

Right now, many users are trying out many different filesystems. Unfortunately, this can leave partially written filesystems on disk in various states.

A common pattern for using embedded filesystems is to attempt a mount, and on failure, format the storage with the filesystem.

Unfortunately, this simply doesn't work if you try to change the filesystem being used on a piece of storage. Filesystems don't always use the same regions of storage, and can leave enough metadata lying
around from old filesystems to trick a different mount into thinking a valid filesystem exists on disk. The filesystems we have were never designed to check for malicious modification and can't protect against
arbitrary changes.

---

That being said, it's caused enough problems for users, so as a workaround, this patch adds a disk erase to the FAT filesystem format. The most common error happens when you use LittleFS, followed by FAT,
followed again by LittleFS.

No other combination of filesystem usage has shown a similar failure, but it is possible after extensive filesystem use, so I would still heavily suggest that you force a format of the storage when changing filesystems.

Note

This needs significant review before merging, but I believe it is a welcomed fix:
needs testing
cc @dannybenor, @davidsaada, @deepikabhavnani, @kegilbert, @cmonr, @moranpeker, @karsev
related #5871, ARMmbed/mbed-os-example-filesystem#21

TODO

• Test

Pull request type

[ ] Fix
[ ] Refactor
[ ] New target
[x] Feature
[ ] Breaking change

[davidsaada]

Looks good to me. Just a few small artifacts.

[davidsaada]

As we're on a C++ module, guess it would make more sense to use new[] and delete[] rather than malloc and free.

[geky]

I still use malloc when I want a blob of raw memory. new[] and delete[] are important for staying within the type system, but here the memory allocated is intentionally without type.

[davidsaada]

Suggest to store the program size in a local variable. Getting it from the bd each time (certainly inside the loop) is a bit inefficient.

[geky]

I was surprised, I expected the compiler to optimize this call out, but it didn't at all!

[deepikabhavnani]

Will this solution work for all block devices? In case of SD we do not implement erase, erase is done as part of trim.

[geky]

It checks erase_value below. If erase_value is negative (default), erase isn't trusted and 1s are written out.

[deepikabhavnani]

In case of error deinit operation should be performed before unlock and return.

[geky]

Good point 👍

[geky]

These should be updated

[deepikabhavnani]

deinit?

[deepikabhavnani]

Can return old error, but don't return without un-mount operation

[geky]

Discussion with @deepikabhavnani: For runtime we should only erase first couple of blocks and trim remaining storage. The erase is required, where the trim is a suggestion to the block device.

[deepikabhavnani]

Looks good

[cmonr]

/morph build

[mbed-ci]

Build : SUCCESS

Build number : 2015
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/6866/

Triggering tests

/morph test
/morph uvisor-test
/morph export-build
/morph mbed2-build

[mbed-ci]

Test : SUCCESS

Build number : 1825
Test logs :http://mbed-os-logs.s3-website-us-west-1.amazonaws.com/?prefix=logs/6866/1825

[mbed-ci]

Exporter Build : SUCCESS

Build number : 1667
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/exporter/6866/

[cmonr]

@davidsaada Could you re-review?

[davidsaada]

Looks good to me.

[0xc0170]

This needs significant review before merging, but I believe it is a welcomed fix:
needs testing
cc @dannybenor, @davidsaada, @deepikabhavnani, @kegilbert, @cmonr, @moranpeker, @karsev

As requested, this should get more approvals

[adbridge]

@dannybenor, @deepikabhavnani, @kegilbert, @cmonr, @moranpeker, @karsev Could we please have your reviews on this asap?

[dannybenor]

Looks good to me