How can I enable debug lock (flash read protection) for my EFR32 application?
In particular, we are using Simplicity Commander to generate a hex file that combines our tokens for encryption and signing. We also use Commander to program our target and know that Commander can also lock a device on a target board with...
commander device lock
...but is there a way to enable debug lock via a hex file so that this step just happens as a matter of course when flashing our devices?
Yes, absolutely! In fact, because you are generating a hex file with tokens for use with Gecko Bootloader, it's a simple matter to modify this file to also enable debug lock.
As you're already running Commander with a series of different command line switches in order to generate everything needed for Gecko Bootloader, you just need to add one more call at the end of all of your processing:
commander convert --patch 0x0FE041FC:0:4 --outfile
Note in particular that should be the file you generate with Commander that contains your signing and encryption tokens. These are actually located in the lock bits page, so it's necessary to add the patch that sets the debug lock word (DLW) in this file.
Why is this the case? In theory, the DLW could be set in any hex file. Simplicity Commander or any other tool used to program the hex file into flash would write the required data wherever it needs to be located. However, if you program the tokens hex file after programming the DLW in another hex file, it's likely that your programming software (including Commander) would first erase the lock bits page, thus unlocking the device because debug lock does not take effect until after a reset.
Consequently, regardless of where or when you choose to enable debug lock, make sure it is part of the last flash programming operation performed so that it takes effect with the next reset and cannot otherwise be undone.