From ee1cd782ab0d91d34785c81425ee27217a66d0aa Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Thu, 13 May 2021 17:04:21 +0100
Subject: [PATCH] Update TPMv2 documentation a little, add changelog for
 TLSv1.3 and swtpm

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---
 www/changelog.xml |  1 +
 www/tpm.xml       | 28 +++++++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/www/changelog.xml b/www/changelog.xml
index 2aac3c8b..c84e0030 100644
--- a/www/changelog.xml
+++ b/www/changelog.xml
@@ -40,6 +40,7 @@
        <li>More gracefully handle Pulse/NC idle timeouts and other Pulse fatal errors (<a href="https://gitlab.com/openconnect/openconnect/-/issues/187">!187</a>)</li>
        <li>Ignore failures to fetch the NC landing page if the authentication was successful.</li>
        <li>Add support for <a href="https://arraynetworks.com/products-secure-access-gateways-ag-series.html">Array Networks SSL VPN</a> (<a href="https://gitlab.com/openconnect/openconnect/-/issues/102">#102</a>)</li>
+       <li>Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and hardware TPM.</li>
      </ul><br/>
   </li>
   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz">OpenConnect v8.10</a></b>
diff --git a/www/tpm.xml b/www/tpm.xml
index 3374a330..302174f9 100644
--- a/www/tpm.xml
+++ b/www/tpm.xml
@@ -50,8 +50,34 @@ based on different TSS libraries.</p>
 <a href="https://github.com/tpm2-software/tpm2-tss">Intel/TCG stack</a>. OpenConnect can use
 either ENGINE.</p>
 
+<p>
+  The GnuTLS build of OpenConnect can use either TSS library, with TPMv2 support
+  implemented natively in OpenConnect. GnuTLS does not have its own TPMv2 support yet
+  (<a href="https://gitlab.com/gnutls/gnutls/-/issues/594">GnuTLS issue #594</a>).
+</p>
+
+<h3>Creating / importing keys</h3>
+
+<p>
+  Each of the above-referenced OpenSSL ENGINE implementations comes with a tool to
+  create keys in the appropriate format.
+</p>
+<p>
+  The <tt>create_tpm2_key</tt> tool from the IBM version can be used to 'wrap' existing
+  keys, using its <tt>-w</tt> option. To take an existing key file and encrypt it for
+  use by the TPM, for example:
+  <ul><li><tt>create_tpm_key -w key_file.pem tpm_key.pem</tt></li></ul>
+  Presumably you would then delete the original key file, since having the private key
+  protected by the TPM is a bit pointless if you just leave it lying around on disk
+  anyway.
+</p>
+<p>
+  The Intel version does not support importing existing keys; this is
+  <a href="https://github.com/tpm2-software/tpm2-tss-engine/issues/39">tpm2-tss-engine issue #39</a>.
+</p>
+
 
-<p>The GnuTLS build of OpenConnect can use either TSS library.</p>
+<h3>Legacy TPMv2 key format</h3>
 
 <p>Older keys from <tt>openssl_tpm2_engine</tt> may have the tag:
 <pre>-----BEGIN TSS2 KEY BLOB-----</pre></p>
-- 
2.50.1