[Uwqye2134trf]

When I work on embedded Linux stuff I sign my packages.

Shipping hardware as opposed to software allows secure deployment of pre-shared keys which can be trusted.

Even if someone hacks our automatic updates server (not too unlikely, it's some shared hosting), devices we have sold won't trust the modified packages because 512-bit ECDSA signature won't match the public key they have pre-deployed.

[beefhash]

Out of curiosity:

1. Why ECDSA?

2. Why a 512-bit prime for the curve?

[Uwqye2134trf]

1. Only two asymmetric algorithms are widely supported and almost universlly recommended, RSA and ECDSA. Compared to RSA, ECC needs smaller keys for same security.

2. I did that couple years ago already, I think it actually was 521 bits, the best one recommanded by FIPS at that time. The hardware has no relations to FIPS, it's not even _that_ expensive and should contain no secret data. I just saw no reasons not to implement the best security available: development time is not affacted by the count of these bits.