Split the security-misc into security-misc-shared, security-misc-desktop and security-misc-server: rename files

https://github.com/Kicksecure/security-misc/issues/187

etc/default/grub.d/40_signed_modules.cfg#security-misc-shared

@@ -0,0 +1,37 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Require every kernel module to be signed before being loaded.
+## Any module that is unsigned or signed with an invalid key cannot be loaded.
+## This prevents all out-of-tree kernel modules unless signed.
+## This makes it harder to load a malicious module.
+##
+## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
+## https://github.com/dell/dkms/issues/359
+##
+## KSPP=yes
+## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y.
+##
+## Not enabled by default yet due to several issues.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
+
+## Enable kernel lockdown to enforce security boundary between user and kernel space.
+## Confidentiality mode enforces module signature verification.
+##
+## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
+##
+## KSPP=yes
+## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y.
+##
+## Not enabled by default yet due to several issues.
+##
+#if dpkg --compare-versions "${kver}" ge "5.4"; then
+#  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
+#fi