Ensure there is a blank line before headers (markdown portability)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

docs/4.0-migration-guide.md

@@ -211,6 +211,7 @@ If you integrate Mbed TLS with a platform or hardware drivers:
 - The PSA driver wrapper is now generated in TF-PSA-Crypto.
 - Platform-specific configuration are now handled in `crypto_config.h`.
 - See [Repository split](#repository-split) for how platform components moved to TF-PSA-Crypto.
+
 ## Compile-time configuration
 
 ### Configuration file split
@@ -255,6 +256,7 @@ The option to enable null cipher suites in TLS 1.2 has been renamed from `MBEDTL
 #### Removal of backward compatibility options
 
 The option `MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT` has been removed. Only the version standardized in RFC 9146 is supported now.
+
 ## PSA as the only cryptography API
 
 The PSA API is now the only API for cryptographic primitives.
@@ -278,6 +280,7 @@ See also [function prototype changes](#function-prototype-changes), many of whic
 ### Impact on the library configuration
 
 Mbed TLS follows the configuration of TF-PSA-Crypto with respect to cryptographic mechanisms. They are now based on `PSA_WANT_xxx` macros instead of legacy configuration macros such as `MBEDTLS_RSA_C`, `MBEDTLS_PKCS1_V15`, etc. The configuration of X.509 and TLS is not directly affected by the configuration. However, applications and middleware that rely on these configuration symbols to know which cryptographic mechanisms to support will need to migrate to `PSA_WANT_xxx` macros. For more information, consult the PSA transition guide in TF-PSA-Crypto.
+
 ## Private declarations
 
 Since Mbed TLS 3.0, some things that are declared in a public header are not part of the stable application programming interface (API), but instead are considered private. Private elements may be removed or may have their semantics changed in a future minor release without notice.
@@ -311,6 +314,7 @@ We strongly recommend against defining `MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS` or
 may not compile or work with future minor releases. If there's something you
 want to do that you feel can only be achieved by using one of these two macros,
 please reach out on github or the mailing list.
+
 ## Error codes
 
 ### Unified error code space
@@ -348,6 +352,7 @@ Many legacy error codes have been removed in favor of PSA error codes. Generally
 | `MBEDTLS_ERR_X509_BUFFER_TOO_SMALL`     | `PSA_ERROR_BUFFER_TOO_SMALL`    |
 
 See also the corresponding section in the TF-PSA-Crypto migration guide, which lists error codes from cryptography modules.
+
 ## Removal of deprecated functions
 
 ### Removal of deprecated X.509 functions
@@ -362,6 +367,7 @@ The function was superseded by `mbedtls_ssl_conf_groups()`.
 ### Removal of `compat-2.x.h`
 
 The header `compat-2.x.h`, containing some definitions for backward compatibility with Mbed TLS 2.x, has been removed.
+
 ## Removed features
 
 ### Removal of obsolete key exchanges methods in (D)TLS 1.2
@@ -514,6 +520,7 @@ Following their removal from the crypto library, elliptic curves of less than 25
 The deprecated functions `mbedtls_ssl_conf_min_version()` and `mbedtls_ssl_conf_max_version()`, and the associated constants `MBEDTLS_SSL_MAJOR_VERSION_3`, `MBEDTLS_SSL_MINOR_VERSION_3` and `MBEDTLS_SSL_MINOR_VERSION_4` have been removed. Use `mbedtls_ssl_conf_min_tls_version()` and `mbedtls_ssl_conf_max_tls_version()` with `MBEDTLS_SSL_VERSION_TLS1_2` or `MBEDTLS_SSL_VERSION_TLS1_3` instead.
 
 The deprecated function `mbedtls_ssl_conf_sig_hashes()` has been removed. Use `mbedtls_ssl_conf_sig_algs()` instead.
+
 ## Function prototype changes
 
 A number of existing functions now take a different list of arguments, mostly to migrate them to the PSA API.
@@ -603,6 +610,7 @@ int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
                              psa_algorithm_t alg, psa_key_type_t key_type, psa_key_bits_t key_bits,
                              uint32_t lifetime);
 ```
+
 ## OID module
 
 The compilation option `MBEDTLS_OID_C` no longer exists. OID tables are included in the build automatically as needed for parsing and writing X.509 data.