Various systems and methods for providing secure and resilient configuration upgrades are described herein. A system, includes a processor; and memory to store instructions, which when executed by the processor, cause the system to: receive at a resilient security island (RSI) partition of a first network node, an update from a source, the first network node hosting the RSI partition and a host partition, the RSI comprising reserved hardware resources of the first network node; verify, by the RSI, provenance of the update; apply, by the RSI, the update to modify a configuration of the RSI or the host partition; test, by the RSI, the modified configuration of the RSI or the host partition; and provide a cryptographic proof that the test was completed and an update status to an update coordinator.