Documentation update

Signed-off-by: Morten Linderud <morten@linderud.pw>

README.md

@@ -1,9 +1,12 @@
 SSH agent for TPM
 =================
 
-`ssh-tpm-agent` is a ssh-agent that allows keys to be created by the Trusted
-Platform Module (TPM), sealed outside of it, for authentication towards ssh
-servers.
+`ssh-tpm-agent` is a ssh-agent compatible agent that allows keys to be created
+by the Trusted Platform Module (TPM) for authentication towards ssh servers.
+
+TPM sealed keys are private keys created inside the Trusted Platform Module
+(TPM) and sealed in `.tpm` suffixed files. They are bound to the hardware they
+where produced on and can't be transferred to other machines.
 
 This allows one to utilize a native client instead of having to side load
 existing PKCS11 libraries into the ssh-agent and/or ssh client.
@@ -17,8 +20,8 @@ existing PKCS11 libraries into the ssh-agent and/or ssh client.
 
 # Experimental
 
-The identity format and technical details might change between iterations.
-Consider this plugin experimental.
+The key format and technical details might change between iterations.  Consider
+this agent experimental.
 
 Instead of utilizing the TPM directly, you can use `--swtpm` or `export
 SSH_TPM_AGENT_SWTPM=1` to create a identity backed by

cmd/ssh-tpm-agent/main.go

@@ -21,7 +21,22 @@ const usage = `Usage:
 Options:
     -l    path of the UNIX socket to listen on
 
-Generate new sealed keys for ssh-tpm-agent.`
+ssh-tpm-agent is a program that loads TPM sealed keys for public key
+authentication. It is an ssh-agent(1) compatible program and can be used for
+ssh(1) authentication.
+
+TPM sealed keys are private keys created inside the Trusted Platform Module
+(TPM) and sealed in .tpm suffixed files. They are bound to the hardware they
+where produced on and can't be transferred to other machines.
+
+Use ssh-tpm-keygen to create new keys.
+
+The agent loads all TPM sealed keys from $HOME/.ssh.
+
+Example:
+    $ ssh-tpm-agent -l /var/tmp/tmp/tpm.sock
+    $ export SSH_AUTH_SOCK="/var/tmp/tpm.sock"
+    $ ssh git@github.com`
 
 func main() {
 	flag.Usage = func() {

cmd/ssh-tpm-keygen/main.go

@@ -28,7 +28,23 @@ Options:
     -f       Output keyfile WIP
     -N       PIN for the key WIP
 
-Generate new sealed keys for ssh-tpm-agent.`
+Generate new TPM sealed keys for ssh-tpm-agent.
+
+TPM sealed keys are private keys created inside the Trusted Platform Module
+(TPM) and sealed in .tpm suffixed files. They are bound to the hardware they
+where produced on and can't be transferred to other machines.
+
+Example:
+    $ ssh-tpm-keygen
+    Generating a sealed public/private ecdsa key pair.
+    Enter file in which to save the key (/home/user/.ssh/id_ecdsa):
+    Enter pin (empty for no pin):
+    Enter same pin again:
+    Your identification has been saved in /home/user/.ssh/id_ecdsa.tpm
+    Your public key has been saved in /home/user/.ssh/id_ecdsa.pub
+    The key fingerprint is:
+    SHA256:NCMJJ2La+q5tGcngQUQvEOJP3gPH8bMP98wJOEMV564
+    The key's randomart image is the color of television, tuned to a dead channel.`
 
 func getStdin(s string, args ...any) (string, error) {
 	fmt.Printf(s, args...)