<cpu match='exact'>
  <model>Penryn</model>
  <feature name='vmx' policy='forbid'/>
</cpu>