Add migration guide and changelog entry for MBEDTLS_PRIVATE

We forgot those in #4511.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/ChangeLog.d/private-fields.txt b/ChangeLog.d/private-fields.txt
new file mode 100644
index 0000000..10b9a59
--- /dev/null
+++ b/ChangeLog.d/private-fields.txt
@@ -0,0 +1,5 @@
+API changes
+   * Direct access to fields of structures declared in public headers is no
+     longer supported except for fields that are documented public. Use accessor
+     functions instead. For more information, see the migration guide entry
+     "Most structure fields are now private".
diff --git a/docs/3.0-migration-guide.md b/docs/3.0-migration-guide.md
index 352c484..0ffd919 100644
--- a/docs/3.0-migration-guide.md
+++ b/docs/3.0-migration-guide.md
@@ -150,6 +150,19 @@
 <https://tls.mbed.org/kb/how-to/add-entropy-sources-to-entropy-pool> for more
 information.
 
+### Most structure fields are now private
+
+Direct access to fields of structures (`struct` types) declared in public headers is no longer supported. In Mbed TLS 3, the layout of structures is not considered part of the stable API, and minor versions (3.1, 3.2, etc.) may add, remove, rename, reorder or change the type of structure fields.
+
+There is a small number of exceptions where some fields are guaranteed to remain stable throughout the lifetime of Mbed TLS 3.x. These fields are explicitly documented as public. Please note that even if all the fields of a structure are public, future versions may add new fields. Also, as before, some public fields should be considered read-only, since modifying them may make the struture inconsistent; check the documentation in each case.
+
+Attempting to access a private field directly will result in a compilation error.
+
+If you were accessing structure fields directly, and these fields are not documented as public, you need to change your code. If an accessor (getter/setter) function exists, use that. Direct accessor functions are usually called `mbedtls_<MODULE>_{get,set}_<FIELD>` or `mbedtls_<MODULE>_<STRUCTURE>_{get,set}_<FIELD>`. Accessor functions that change the format may use different verbs, for example `read`/`write` for functions that import/export data from/to a text or byte string.
+
+If no accessor function exists, please open an [enhancement request against Mbed TLS](https://github.com/ARMmbed/mbedtls/issues/new?template=feature_request.md) and describe your use case. The Mbed TLS development team is aware that some useful accessor functions are missing in the 3.0 release, and we expect to add them the first minor release(s) (3.1, etc.).
+
+As a last resort, you can access the field `foo` of a structure `bar` by writing `bar.MBEDTLS_PRIVATE(foo)`. Note that you do so at your own risk, since such code is likely to break in a future minor version of Mbed TLS.
 
 
 ## Low-level crypto