diff --git a/include/mbedtls/ecdh.h b/include/mbedtls/ecdh.h
index 807c884205..2a0980b39c 100644
--- a/include/mbedtls/ecdh.h
+++ b/include/mbedtls/ecdh.h
@@ -134,8 +134,8 @@ typedef struct mbedtls_ecdh_context
     mbedtls_ecp_point MBEDTLS_PRIVATE(Vf);    /*!< The unblinding value. */
     mbedtls_mpi MBEDTLS_PRIVATE(_d);          /*!< The previous \p d. */
 #if defined(MBEDTLS_ECP_RESTARTABLE)
-    int restart_enabled;        /*!< The flag for restartable mode. */
-    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+    int MBEDTLS_PRIVATE(restart_enabled);        /*!< The flag for restartable mode. */
+    mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(rs); /*!< The restart context for EC computations. */
 #endif /* MBEDTLS_ECP_RESTARTABLE */
 #else
     uint8_t MBEDTLS_PRIVATE(point_format);       /*!< The format of point export in TLS messages
diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h
index cf063a0b52..735d37764f 100644
--- a/include/mbedtls/ecdsa.h
+++ b/include/mbedtls/ecdsa.h
@@ -29,6 +29,7 @@
 
 #ifndef MBEDTLS_ECDSA_H
 #define MBEDTLS_ECDSA_H
+#include "mbedtls/private_access.h"
 
 #if !defined(MBEDTLS_CONFIG_FILE)
 #include "mbedtls/config.h"
diff --git a/include/mbedtls/entropy.h b/include/mbedtls/entropy.h
index d707bddf02..78591e7654 100644
--- a/include/mbedtls/entropy.h
+++ b/include/mbedtls/entropy.h
@@ -124,7 +124,7 @@ typedef struct mbedtls_entropy_context
 #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
     mbedtls_sha512_context  MBEDTLS_PRIVATE(accumulator);
 #else
-    mbedtls_sha256_context  accumulator;
+    mbedtls_sha256_context  MBEDTLS_PRIVATE(accumulator);
 #endif
     int             MBEDTLS_PRIVATE(source_count); /* Number of entries used in source. */
     mbedtls_entropy_source_state    MBEDTLS_PRIVATE(source)[MBEDTLS_ENTROPY_MAX_SOURCES];
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 2dda6ad45d..b6b9c8ca10 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -940,9 +940,9 @@ struct mbedtls_ssl_session
 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
     /*! The digest of the peer's end-CRT. This must be kept to detect CRT
      *  changes during renegotiation, mitigating the triple handshake attack. */
-    unsigned char *peer_cert_digest;
-    size_t peer_cert_digest_len;
-    mbedtls_md_type_t peer_cert_digest_type;
+    unsigned char *MBEDTLS_PRIVATE(peer_cert_digest);
+    size_t MBEDTLS_PRIVATE(peer_cert_digest_len);
+    mbedtls_md_type_t MBEDTLS_PRIVATE(peer_cert_digest_type);
 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
     uint32_t MBEDTLS_PRIVATE(verify_result);          /*!<  verification result     */
diff --git a/include/mbedtls/ssl_cookie.h b/include/mbedtls/ssl_cookie.h
index 6806dbddd6..c4f042c80b 100644
--- a/include/mbedtls/ssl_cookie.h
+++ b/include/mbedtls/ssl_cookie.h
@@ -59,7 +59,7 @@ typedef struct mbedtls_ssl_cookie_ctx
 {
     mbedtls_md_context_t    MBEDTLS_PRIVATE(hmac_ctx);   /*!< context for the HMAC portion   */
 #if !defined(MBEDTLS_HAVE_TIME)
-    unsigned long   serial;     /*!< serial number for expiration   */
+    unsigned long   MBEDTLS_PRIVATE(serial);     /*!< serial number for expiration   */
 #endif
     unsigned long   MBEDTLS_PRIVATE(timeout);    /*!< timeout delay, in seconds if HAVE_TIME,
                                      or in number of tickets issued */
diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h
index 8acf22c7f3..d60b7732f3 100644
--- a/include/psa/crypto_platform.h
+++ b/include/psa/crypto_platform.h
@@ -32,6 +32,7 @@
 
 #ifndef PSA_CRYPTO_PLATFORM_H
 #define PSA_CRYPTO_PLATFORM_H
+#include "mbedtls/private_access.h"
 
 /* Include the Mbed TLS configuration file, the way Mbed TLS does it
  * in each of its header files. */
@@ -92,7 +93,7 @@ static inline int mbedtls_key_owner_id_equal( mbedtls_key_owner_id_t id1,
  * are expected to replace it with a custom definition.
  */
 typedef struct {
-    uintptr_t opaque[2];
+    uintptr_t MBEDTLS_PRIVATE(opaque)[2];
 } mbedtls_psa_external_random_context_t;
 #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
 
diff --git a/setup_and_run_MBEDTLS_PRIVATE.sh b/setup_and_run_MBEDTLS_PRIVATE.sh
index 9a0e599790..aaf0a1cf55 100755
--- a/setup_and_run_MBEDTLS_PRIVATE.sh
+++ b/setup_and_run_MBEDTLS_PRIVATE.sh
@@ -8,3 +8,24 @@ doxygen mbedtls.doxyfile
 cd ..
 python3 apply_MBEDTLS_PRIVATE.py
 git checkout include/mbedtls/config.h doxygen/mbedtls.doxyfile
+
+make clean
+sed -i 's/GENERATE_XML           = NO/GENERATE_XML           = YES/g' doxygen/mbedtls.doxyfile
+scripts/config.py set MBEDTLS_ECP_RESTARTABLE
+scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+scripts/config.py unset MBEDTLS_HAVE_TIME
+cd doxygen
+doxygen mbedtls.doxyfile
+cd ..
+python3 apply_MBEDTLS_PRIVATE.py
+git checkout include/mbedtls/config.h doxygen/mbedtls.doxyfile
+
+make clean
+sed -i 's/GENERATE_XML           = NO/GENERATE_XML           = YES/g' doxygen/mbedtls.doxyfile
+scripts/config.py realfull
+cd doxygen
+doxygen mbedtls.doxyfile
+cd ..
+python3 apply_MBEDTLS_PRIVATE.py
+git checkout include/mbedtls/config.h doxygen/mbedtls.doxyfile
+