Update upgrade guide with HSM info

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 DEPRECATIONS/CHANGES:
 
+ * HSM config parameter requirements: When using Vault with an HSM, a new
+   paramter is required: `hmac_key_label`.  This performs a similar function to
+   `key_label` but for the HMAC key Vault will use. Vault will generate a
+   suitable key if this value is specified and `generate_key` is set true.
  * API HTTP client behavior: When calling `NewClient` the API no longer
    modifies the provided client/transport. In particular this means it will no
    longer enable redirection limiting and HTTP/2 support on custom clients. It

website/source/guides/upgrading/upgrade-to-0.9.0.html.md

@@ -71,6 +71,14 @@ for the encryption keyring itself.
 To better reflect its actual use, the `generic` backend is now `kv`. Using
 `generic` will still work for backwards compatibility.
 
+### HSM Users Need to Specify New Config Options (In 0.9)
+
+When using Vault with an HSM, a new paramter is required: `hmac_key_label`.
+This performs a similar function to `key_label` but for the HMAC key Vault will
+use. Vault will generate a suitable key if this value is specified and
+`generate_key` is set true. See [the seal configuration page][pkcs11-seal] for
+more information.
+
 ### API HTTP client behavior (In 0.9)
 
 When calling `NewClient` the API no longer modifies the provided
@@ -111,3 +119,4 @@ Audit request and response entires are still in RFC3339 format but now have a
 granularity of nanoseconds.
 
 [generate-root]: https://www.vaultproject.io/api/secret/pki/index.html#generate-root
+[pkcs11-seal]: https://www.vaultproject.io/docs/configuration/seal/pkcs11.html